search

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://badssl.com
Apache License 2.0
2.81k stars 190 forks source link

Mark DHE as bad or dubious #398

Closed christhompson closed 4 years ago

christhompson commented 5 years ago

This updates the icons/labels for dh1024 and dh2048 from "dubious" and "good" to "bad" and "dubious", and adds dh2048 to the "Legacy Cryptography" section of the Dashboard.

It is now over two years since non-EC DHE support was removed from Chrome (https://www.chromestatus.com/feature/5128908798164992) after the Logjam attacks indicated that DHE key exchange was generally insecure. While 2048-bit DH is still ~okay (that's large enough that we don't think it's currently breakable, but attacks only get better), I think it makes sense to mark it as "dubious" and add it to the "Legacy Cryptography" section of the dashboard. Modern configurations should strongly favor ECDHE.

1024-bit DH was already added to the Dashboard view under "Broken Cryptography", so actively labeling it as "bad" on the front page would align the two.

This closes #313.

christhompson commented 5 years ago

I think we should also update the backgrounds on the subdomain assets (domains/key-exchange/dh{1024, 2048}/index.htm)!

Good catch -- done! I set dh1024 to red and dh2048 to yellow to match the statuses.