[Ach] bettercrypto.org using non-optimal crypto?

Alan Orth alan.orth at gmail.com
Wed Jul 9 11:04:19 CEST 2014


Good to know about AES_CBC, Aaron!

Now, I just checked again, and bettercrypto.org is using AES_128_GCM
with DHE_RSA.  I haven't applied any updates in the last few days either...

For posterity, I was on Chromium Chrome/35.0.1916.153 on Arch GNU/Linux
x86_64.  Here's the ciphers ssllabs says my client supports:

Cipher Suites (in order of preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy	128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy	128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   Forward Secrecy	128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy	256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy	256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)   Forward Secrecy	128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   Forward Secrecy	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   Forward Secrecy	128
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy*	128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   Forward Secrecy	256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)	128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)	256
TLS_RSA_WITH_RC4_128_SHA (0x5)	128
TLS_RSA_WITH_RC4_128_MD5 (0x4)	128



On 07/08/2014 12:20 PM, Torsten Gigler wrote:
> Hi Alan,
> may I suggest to check the ciphers that are active on your browser:
> https://www.ssllabs.com/ssltest/viewMyClient.html
> And provide the Ciphers you get back from ssllabs.com <http://ssllabs.com>.
> (This is the expected standard for Chrome 34:
> https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=34&platform=OS%20X)
> According to ssllabs, the server 'bettercrypto.org
> <http://bettercrypto.org>' should choose:
> Chrome 34 / OS X
> <https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=34&platform=OS%20X>
>  R		TLS 1.2 	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (|0x9e|)  FS
> from the ciphers that your browser supports.
> Kind regards
> Torsten
> 2014-07-08 11:06 GMT+02:00 Aaron Zauner <azet at azet.org
> <mailto:azet at azet.org>>:
>     Hi Alan,
>     Alan Orth wrote:
>     > Thanks for the explanation, Pepi and Aaron.  The choices seem
>     reasonable
>     > now that you explained the logic.
>     Short update on that; I asked Adam Langley from Google via Twitter
>     yesterday why Chrome does not support a stronger HMAC. He pointed out
>     that AES-CBC mode is still susceptible to the Lucky13 Attack, which I -
>     to be honest - totally forgot about.  So your concern is valid.
>     What I don't understand is why your Chrome did not negotiate for
>     AES-GCM. On which platform are you testing this (OS and architecture)?
>     Aaron
>     _______________________________________________
>     Ach mailing list
>     Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>     http://lists.cert.at/cgi-bin/mailman/listinfo/ach

Alan Orth
alan.orth at gmail.com
"I have always wished for my computer to be as easy to use as my
telephone; my wish has come true because I can no longer figure out how
to use my telephone." -Bjarne Stroustrup, inventor of C++
GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140709/0aa5edc9/attachment.sig>

More information about the Ach mailing list