[Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox

Julien Vehent julien at linuxwall.info
Fri Jan 3 22:04:06 CET 2014

On 2014-01-03 12:58, ianG wrote:
> On 3/01/14 19:24 PM, Julien Vehent wrote:
>> On 2014-01-02 18:59, ianG wrote:
>>> On 3/01/14 01:06 AM, Julien Vehent wrote:
>>>> 3DES isn't broken.
>>> No, but it is end of life.  112bit security for the 2key variant, and
>>> an 8 byte block makes it just old.  If you've got AES there, use it.
>>> Who hasn't got it?
>> See https://wiki.mozilla.org/Security/Server_Side_TLS#RC4_weaknesses
>> "Internet Explorer uses the cryptographic library “schannel”, which is
>> OS dependent. schannel supports AES in Windows Vista, but not in Windows
>> XP."
> Right, Windows XP.  Which is end of life.

Microsoft killing support for a product isn't the same thing as people 
throwing away their computers.

Or, are you implying that because microsoft is ending the life of XP, we 
should feel comfortable disconnecting these people from the internet? I'm not 
sure what they did to deserve that, except spending thousands of dollars on a 
computer years ago.

>>> Hmmm..  Are the Chinese blocked from stronger crypto?
>> According to http://www.modern.ie/ie6countdown:
>>   * 22.2% of China uses IE6
>>   * 4.9% of users worlwide use IE6
> Thanks for that!  More end of life.  And DJB says it's worse, we've 
> retrograded to about 50% RC4 usage.

Apples and Oranges. Some websites owners prefer RC4 for various reasons, but 
it's different from what clients can actually negotiate.
Even if all website owners update their ciphersuite tomorrow, that won't 
replace the millions of computers than are stuck on RC4 and 3DES.

>> I believe that our jobs, as security professionals, is to provide the
>> best security to everyone.
> That is mozilla's mission.  It provides its products to everyone.  Which 
> naturally means it cannot and does not provide the 'best security' to every 
> person, rather it provides the best 'security for everyone'.
> Different story -- one moves security up, at the expense of users, the 
> other keeps users happy, but puts security on a race to the bottom.
>> Not only to the people that have a better
>> access to technology.
>> This is consistent with Mozilla's mission.
> Absolutely!  I'm well familiar of how the monolith of Mozilla's mission 
> casts a shadow over security.
> BetterCrypto however is seeking ... *better crypto*.  And that is a 
> different goal.  Different users, different tradeoffs.
> Where the two groups part company is on bad crypto.  If IE6 and XP users 
> have bad crypto, then BetterCrypto is not for them.
>> So we won't disable old
>> crypto algorithms because the security community admits that they are
>> bad. We have to live with them.
> Sure.  And to some extent I don't disagree -- K6 speaks to ease of use and 
> availability;  it is the number one, dominating law for security.
> But the enemy of cryptography is time;  what was secure then is not now.  
> It doesn't take much to deal with it, but unfortunately the powers that be 
> SSL have fiddled around adding more and not chopping away. Always because 
> someone wants to keep it around.
> This is a rock and a hard place.  The rock of upgrading has met the hard 
> place of legacy users.
> Where this goes from here is tension:  BetterCrypto and groups like it 
> will continue to deprecate those ciphers.  Users will start to suffer. Users 
> will complain.  Mozilla and browsers and so forth will cop the brunt of the 
> suffering.  Very unfair.
> But meanwhile the fix is in.  And if there is one thing we do know, the 
> juggernaut of SSL/IETF/PKIX/CABForum/OpenSSL/NSS/NIST/Sun/ and a dozen other 
> acronyms I've forgotten ... are not going to push on this front. They are 
> going to do what they always do:  act as if every old cipher is like a limb, 
> squealing and moaning at the thought that it is going to be cut off, all the 
> while salivating at the chance to add another cipher suite, more, moar!
> :) prove me wrong!  See how long it takes to get any of those groups of 
> power to announce an end of life for RC4.  Or 3DES.  Bloody android is still 
> using MD5, last I heard...
> BetterCrypto *has to lead* because everyone else is following each other 
> in a big circle.
> iang

I'm not sure what, in my message, triggered such a strong reaction. As I 
said in a previous email:

     1. I think it's great to have two guides with divergent points of view. 
I'm mostly
        interested in discussing design choices, because these discussions 
are useful.
        I'm not interested in convincing the ACH group that one 
recommendation is better
        than the other, since it completely depends on the context.

If anyone has a secret sauce to replace all of the ancient software out 
there, with newer one that support TLS1.2, OCSP Stapling and so on, I'm 200% 
up for it.
In the meantime, it's important that users can reach mozilla.org from IE6, 
so that they can install Firefox and enjoy stronger security.

- Julien

More information about the Ach mailing list