[Ach] Vote for new Cipherstring B [Was: Issue with OpenSSL >0.9.8l]

Adi Kriegisch adi at kriegisch.at
Sat May 17 17:24:03 CEST 2014


> I downloaded every available draft since you started this and I started
> following this list around the time when this topic started. As I would
> not call myself a security or cryptography expert, you can think of me
> as a consumer of your product.
> I think what you want to achieve here is not pointless at all, but it is
> impossible in the current form.
> After following this discussion, on my servers I settled for a sweet and
> short:
>     'kEDH+aRSA+AES128:kEECDH+aRSA+AES128:+SSLv3'
Nice. ;-)
> So why bother with the quest for the universally applicable string? I'm
> sure you get a nice and safe short string for every version out there.
Thanks for your posting. We very much apprechiate "users" who follow our
project! Follow in the sense of updating their cipher strings and settings
from time to time.
The reason we try to come up with "the" cipher string is the fear of casual
readers taking one version of the cipher string and never, ever come back
or reconsider their (and in some respect our) choice.
Take what happened with RC4: about the whole internet chose RC4 after some
issues but most admins never reconsidered their choice[1]. There for sure
is an urgent need to update security configurations from time to time.
Bettercrypto.org alone will not be able to make that attitude mainstream.

On the other hand, you're probably right: it would be easier to give
recommendations based on specific versions. I think we need to further
discuss this. :-)
And while we're at it: I think we should recommend not to use Apache 2.0 or
2.2 for SSL due to the dh params it uses.

> Best regards and thanks for your work, I really do appreciate it.
Thanks for sharing your opinion and your appreciation!

-- Adi

[1] https://www.trustworthyinternet.org/ssl-pulse/
    RC4: 33% with most modern browsers, 57% offer some RC4 cipher suites
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140517/f3095935/attachment.sig>

More information about the Ach mailing list