[Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox

Alexander Wuerstlein arw at cs.fau.de
Sun Jan 5 17:28:02 CET 2014

On 14-01-05 16:56, Aaron Zauner <azet at azet.org> wrote:
> On Sun, Jan 5, 2014 at 4:27 PM, Kurt Roeckx <kurt at roeckx.be> wrote:
> > On Fri, Jan 03, 2014 at 12:19:10AM +0100, Aaron Zauner wrote:
> > >
> > > > 3DES isn't broken.
> > > Triple DES provides about 112bit security (We've a section on the topic
> > in the Paper in the Keylenghts section). All ciphers that we
> > > recomend are at least at 128bit security.
> >
> > The document doesn't seem to say that it's trying to reach a 128
> > bit security level over the whole chain.  It seems to be happy
> > with 2048 bit RSA keys.  They also provide 112 bit security.
> >
> > If you really want to go for 128 bit, you need to have the RSA
> > keys of at least something in the order of 3072 bit.  If 2048
> > is fine, 3DES is fine.
> That is true, the issue being that some software and hardware platforms do
> not support RSA keys above 2048bit as of now.
> I mean - I do not really have an issue with discussing to put 3DES in
> there. We were a bit time restricted to do our research (i.e. we limited
> ourselves to certain ciphers) and since this is still in draft stage we're
> able to change things like that.
> Input from anyone else on the list?

While there are certain uses for 3DES, e.g. backward-compatibility in
cases where its really necessary, generally 3DES being EOL should be a
red flag imho: no further research from the good guys will go into 3DES,
since all the papers would be rejected with "oh, that old crap, don't
you have something interesting?". Otoh, this is a great situation for
the bad guys.

Also, since especially coming from the browser crowd efficiency seems to
be a concern 3DES is worse than the alternatives like AES.

Generally I would suggest keeping the current level of security (128
bit, except where maybe RSA doesn't work for some reasons) and maybe
provide a hint like "We don't recommend 3DES, but if you really really
need it for old crap like Win XP or Java, add this:...". And if in the
general case some old clients can't connect, so be it, maybe they'll
take the hint and upgrade, fix their stuff, etc. Vendors will only fix
stuff if enough users start complaining (for non-EOL products) and users
will only update if stuff doesn't work. 


Alexander Wuerstlein.

More information about the Ach mailing list