[Ach] bettercrypto.org using non-optimal crypto?

Aaron Zauner azet at azet.org
Mon Jul 7 16:09:52 CEST 2014

Hi Alan,

Alan Orth wrote:
> Hey, all.
> I was just curious and checked the negotiated cipher suite used for
> bettercrypto.org, and I was a bit surprised to see that my Chrome 35 in
> GNU/Linux negotiated AES_256_CBC for encryption and SHA1 for message
> authentication.

Yup. That's up to Chrome. Not sure why it doesn't negotiate for AES-GCM

> SSL Labs gives an A+, but this doesn't seem optimal.  AES-CBC is
> vulnerable to padding oracle attacks and SHA1 is a dubious hashing
> algorithm by 2014 standards.
It negotiated TLS 1.2, padding oracle attacks in TLS have been fixed
with TLS 1.1. So that's not a real concern. I agree that SHA-1 is
inferior. As HMAC it should be OK though. But I strongly agree that this
should be improved in our recommended cipherstring (as I've noted before
on the list).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140707/f87b68d1/attachment.sig>

More information about the Ach mailing list