[Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox

ianG iang at iang.org
Fri Jan 3 18:58:19 CET 2014 

On 3/01/14 19:24 PM, Julien Vehent wrote:
> On 2014-01-02 18:59, ianG wrote:
>> On 3/01/14 01:06 AM, Julien Vehent wrote:
>>
>>
>>> 3DES isn't broken.
>>
>>
>> No, but it is end of life.  112bit security for the 2key variant, and
>> an 8 byte block makes it just old.  If you've got AES there, use it.
>> Who hasn't got it?
>
> See https://wiki.mozilla.org/Security/Server_Side_TLS#RC4_weaknesses
> "Internet Explorer uses the cryptographic library “schannel”, which is
> OS dependent. schannel supports AES in Windows Vista, but not in Windows
> XP."


Right, Windows XP.  Which is end of life.


>> Hmmm..  Are the Chinese blocked from stronger crypto?
>
> According to http://www.modern.ie/ie6countdown:
>   * 22.2% of China uses IE6
>   * 4.9% of users worlwide use IE6


Thanks for that!  More end of life.  And DJB says it's worse, we've 
retrograded to about 50% RC4 usage.

> I believe that our jobs, as security professionals, is to provide the
> best security to everyone.


That is mozilla's mission.  It provides its products to everyone.  Which 
naturally means it cannot and does not provide the 'best security' to 
every person, rather it provides the best 'security for everyone'.

Different story -- one moves security up, at the expense of users, the 
other keeps users happy, but puts security on a race to the bottom.


> Not only to the people that have a better
> access to technology.
> This is consistent with Mozilla's mission.

Absolutely!  I'm well familiar of how the monolith of Mozilla's mission 
casts a shadow over security.

BetterCrypto however is seeking ... *better crypto*.  And that is a 
different goal.  Different users, different tradeoffs.

Where the two groups part company is on bad crypto.  If IE6 and XP users 
have bad crypto, then BetterCrypto is not for them.

> So we won't disable old
> crypto algorithms because the security community admits that they are
> bad. We have to live with them.


Sure.  And to some extent I don't disagree -- K6 speaks to ease of use 
and availability;  it is the number one, dominating law for security.

But the enemy of cryptography is time;  what was secure then is not now. 
  It doesn't take much to deal with it, but unfortunately the powers 
that be SSL have fiddled around adding more and not chopping away. 
Always because someone wants to keep it around.



This is a rock and a hard place.  The rock of upgrading has met the hard 
place of legacy users.

Where this goes from here is tension:  BetterCrypto and groups like it 
will continue to deprecate those ciphers.  Users will start to suffer. 
Users will complain.  Mozilla and browsers and so forth will cop the 
brunt of the suffering.  Very unfair.

But meanwhile the fix is in.  And if there is one thing we do know, the 
juggernaut of SSL/IETF/PKIX/CABForum/OpenSSL/NSS/NIST/Sun/ and a dozen 
other acronyms I've forgotten ... are not going to push on this front. 
They are going to do what they always do:  act as if every old cipher is 
like a limb, squealing and moaning at the thought that it is going to be 
cut off, all the while salivating at the chance to add another cipher 
suite, more, moar!

:) prove me wrong!  See how long it takes to get any of those groups of 
power to announce an end of life for RC4.  Or 3DES.  Bloody android is 
still using MD5, last I heard...



BetterCrypto *has to lead* because everyone else is following each other 
in a big circle.



iang

More information about the Ach mailing list