oss-sec mailing list archives
Re: openssl default ciphers
From: Florian Weimer <fweimer () redhat com>
Date: Tue, 05 Nov 2013 13:00:14 +0100
On 11/04/2013 09:37 PM, Reed Loden wrote:
The Mozilla opsec guys wrote up some good guidelines recently on what they consider a good TLS cipher suite choice should be, but even if you didn't want to go all-out by making the default ultra-secure (with full PFS, etc.), they explain their choices fairly well, so should be useful in trying to figure out a middle ground that makes most people happy. https://wiki.mozilla.org/Security/Server_Side_TLS
Personally, I find the push towards PFS rather odd. TLS with PFC is structured in a way that PFS does not unconditionally enhance security. Without PFC, part of the session key handshake is encrypted to the server's public key. With PFC, the entire DH handshake is unencrypted, and the server signs its part. This means that a potential attacker gains another angle, targeting the DH handshake, and it also shifts the picture somewhat as far as the server's public key operation is concerned (decryption vs signing). There is also the possibility that the asymmetric protection of the DH handshake is insufficient. (In this discussion, I'm ignoring DSA server certificates in this discussion because they are so rare.)
In short, I think it's fairly likely that PFS cipher suites offer weaker security compared to their non-PFS counterparts. I suspect most PFS's attractiveness stems from its spelled-out name, not its actual technical merits in the context of TLS.
-- Florian Weimer / Red Hat Product Security Team
Current thread:
- Re: openssl default ciphers, (continued)
- Re: openssl default ciphers Daniel Kahn Gillmor (Nov 04)
- Re: openssl default ciphers Eric H. Christensen (Nov 04)
- Re: openssl default ciphers Hanno Böck (Nov 04)
- Re: openssl default ciphers Russ Allbery (Nov 04)
- Re: openssl default ciphers Stefan Bühler (Nov 04)
- Re: openssl default ciphers Mike (Nov 04)
- Re: openssl default ciphers Eric H. Christensen (Nov 04)
- Re: openssl default ciphers leToff (Nov 04)
- Re: openssl default ciphers Stefan Bühler (Nov 05)
- Re: openssl default ciphers Florian Weimer (Nov 05)