Re: openssl default ciphers

[Florian Weimer <fweimer () redhat com>]

On 11/04/2013 09:37 PM, Reed Loden wrote:

> The Mozilla opsec guys wrote up some good guidelines recently on what
> they consider a good TLS cipher suite choice should be, but even if you
> didn't want to go all-out by making the default ultra-secure (with
> full PFS, etc.), they explain their choices fairly well, so should be
> useful in trying to figure out a middle ground that makes most people
> happy.
>
> https://wiki.mozilla.org/Security/Server_Side_TLS

Personally, I find the push towards PFS rather odd.  TLS with PFC is 
structured in a way that PFS does not unconditionally enhance security. 
 Without PFC, part of the session key handshake is encrypted to the 
server's public key.  With PFC, the entire DH handshake is unencrypted, 
and the server signs its part.  This means that a potential attacker 
gains another angle, targeting the DH handshake, and it also shifts the 
picture somewhat as far as the server's public key operation is 
concerned (decryption vs signing).  There is also the possibility that 
the asymmetric protection of the DH handshake is insufficient.  (In this 
discussion, I'm ignoring DSA server certificates in this discussion 
because they are so rare.)

In short, I think it's fairly likely that PFS cipher suites offer weaker 
security compared to their non-PFS counterparts.  I suspect most PFS's 
attractiveness stems from its spelled-out name, not its actual technical 
merits in the context of TLS.

--
Florian Weimer / Red Hat Product Security Team