[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

Aaron Zauner azet at azet.org
Mon Nov 9 12:57:31 CET 2015



Torsten Gigler wrote:
> Hi,
> 
> I'd like to suggest to discuss about the policy of selecting the ciphers and bringing them into a
> proposed order, when discussing about a new cipher string.
> This is about like Gunnar wrote today. The String building is a different issue...
> 
> Well, my favorite 2 cents about the policy could be found here:
> https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Protocol_and_Cipher_Configuration
> E.g. I'd favor GCM over CBC regardless of the cipher size (of the same algorithm). 

It's actually not that easy. While some recent attacks against TLS work
well for HTTP - most of them would not work well with other application
layer protocols. For example: attacks that rely on JavaScript to send
back data en mass.

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20151109/d41822b5/attachment.sig>


More information about the Ach mailing list