[Ach] ECDHE and DHE

Jeff Hodges jeff at somethingsimilar.com
Sun Jan 5 22:29:36 CET 2014

Putting DHE ahead of ECDHE is not great. The prohibitive cost of DHE
without elliptical curves means that the major web services that currently
support DHE would probably have to remove its support completely if they
weren't able to soften the blow by having ECDHE cipher suites preferred.
Asking smaller websites, that have much less security risk and much more
opportunity cost for that CPU and network time, is not kind.

It is known that the NIST parameters are not ideal, and folks running *DHE
cipher suites look forward to ChaCha20/Poly1305. However, that won't be a
choice for a non-trivial amount of traffic for some time; longer, I
believe, than Better Crypto's time-to-publish.

It is unfortunate, but the choice that more likely gets readers to deploy
the Better Crypto recommendations appears to be supporting ECDHE cipher
suites first and prepping the readers for a world of ChaCha20/Poly1305.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140105/da251752/attachment.html>

More information about the Ach mailing list