[Ach] New study on Forward Secrecy

Aaron Zauner azet at azet.org
Wed Dec 31 17:51:21 CET 2014


* Hanno Böck <hanno at hboeck.de> [31/12/2014 00:37:24] wrote:
> There should be something said about these numers: They were from
> january 2014. apache only added support for > 1024 bit in november 2013.
> I assume it's likely much higher now, although probably still in a bad
> state.

Sure, figures might be better by now but I still suspect them to be
very bad. The issue is: this is again not an internet wide scan but
a scan on the Alexa top 1m. About half of them support HTTPS. These
sites are usually large-traffic sites (sometimes ecommerce et
cetera) which are more incentivised to run updated services than the
internet as a whole. I suspect that most of them do not use our
recommendations in any way.

> 
> I was highly confused by the fact they claim that only 14 servers
> supported 4096 bit DH. That'd mean that I would run a significant
> portion of those.

Also: No idea how it's for services that are non-HTTPS.

Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141231/9c983312/attachment.sig>


More information about the Ach mailing list