crypto/tls: Disable CBC Ciphers by default

golang / go

The Go programming language

https://go.dev

BSD 3-Clause "New" or "Revised" License

124.14k stars 17.69k forks source link

crypto/tls: Disable CBC Ciphers by default #13385

Open pquerna opened 8 years ago

pquerna commented 8 years ago

Per @agl on Twitter, the only way to be safe with Go and TLS if you are worried about Lucky13-style attacks is to disable CBC mode ciphers:

https://twitter.com/agl__/status/669182140244824064

Currently none of the CBC ciphers are marked with suiteDefaultOff: https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L75-L95

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

It seems wrong for Go to have insecure defaults for a class of attacks that is becoming more well documented. If there is no willingness to implement countermeasures, shouldn't the vulnerable class of ciphers be disabled by default?

timcooijmans commented 8 years ago

Disabling CBC so will break compatibility with many operating systems and devices. In practice all public-facing Go-services would have to re-enable the CBC-ciphersuites. So the question is wether implementing countermeasures isn't the only viable solution.

bradfitz commented 8 years ago

Perhaps it just needs to be easier to change the global, default ciphersuites without re-wiring up a tls.Config, http.Server, *http.Transport, etc.

pquerna commented 8 years ago

@bradfitz such a method would be a good start; http2 is already has a blacklist of ciphers, making a way to more easily control that behavior in the various invocations of cipher configurations / global default would be a great start.

DemiMarie commented 8 years ago

If disabling CBC is not an option, Go needs to implement the appropriate countermeasures in its cryptography (or call out to a third-party library that does so).

Also AEAD ciphers should automatically be preferred when possible.

timcooijmans commented 8 years ago

I agree, as long as CBC is needed to support all commonly used browsers and libraries, fixing CBC is the only solution, no matter how ugly and complex it may be. While disabling CBC ensures a safe-default. The fact that in practice any public service needs to re-enable it, still leads to unsafe situations that could lead to breaches and negative publicity for Go.

gopherbot commented 8 years ago

CL https://golang.org/cl/17532 mentions this issue.

gopherbot commented 8 years ago

CL https://golang.org/cl/18130 mentions this issue.

gopherbot commented 7 years ago

CL https://golang.org/cl/33665 mentions this issue.

gopherbot commented 7 years ago

CL https://golang.org/cl/35290 mentions this issue.