search

mozilla / server-side-tls

Server side TLS Tools
https://ssl-config.mozilla.org
Mozilla Public License 2.0
1.12k stars 158 forks source link

No 256 bit connection possible #32

Closed alexhass closed 9 years ago

alexhass commented 9 years ago

apache 2.2.22 | intermediate profile | OpenSSL 1.0.1e

does not have any cipher that has 256 bit on top. Therefore browsers only establishes a 128bit connection and not a 256bit. Per SSLLabs there are much harder citpher orders.

lgarron commented 9 years ago

This issue is mostly the same as #34 (also filed by you).

Again, 256-bit ciphers are not necessarily better than 128-bit ciphers. See the references in the Prioritization Logic section of the wiki page this tool is based on.

alexhass commented 9 years ago

That sounds a bit like a misunderstanding to me.

If you order the same cipher with 128 bit before the 256bit cipher than the browser will not use the 256bit. Normally you need to order 256 than 128 of the ssme cipher.

I strongly believe that 256bit is a lot harder than 128 of the same cipher.

jvehent commented 9 years ago

I strongly believe that 256bit is a lot harder than 128 of the same cipher.

Scientific assessments are preferred to beliefs. Vincent Rijmen himself said 256 bits in AES was not worth the computing overhead. Studies show that AES-256 implementations are more vulnerable to timing attacks. We have done a significant amount of research before making this decision, and I would encourage you to do the same thing and present verifiable arguments if you think this change should be made.

alexhass commented 9 years ago

Well I made no scientific assessments. But you know NSA and co undermine security and teach people to use weaker ciphers. We cannot trust anybody anymore.

The 256bit are on top by default in apache, too. I think there are good reasons to have stronger ciphers. But I cannot prove it myself.

But how should a browser select the 256bit ciphers with the orders you configured? I think it is useless... How it is now you may also remove the 256bit ciphers as browsers are trying from strongest to weaker ciphers and not vice versa as I know. Please correct me if I'm wrong.

This is the first page I have read that recommends weaker ciphers over strongers.

jvehent commented 9 years ago

Strenght is not only a question of key size. Implementation bugs are far more likely to undermine the security of TLS than the number of bits used in AES keys, and so far scientific litterature indicates that AES 128 implementations are better protected from timing attacks than their 256 counterparts.

alexhass commented 9 years ago

But how should a browser select the 256bit ciphers with the orders you configured? I think it is useless... How it is now you may also remove the 256bit ciphers as browsers are trying from strongest to weaker ciphers and not vice versa as I know. Please correct me if I'm wrong.

jvehent commented 9 years ago

Check out the CLIENT HELLO sent by both Firefox and Chrome, you'll be surprised that the cipher they prefer is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b). You're already not using 256 bits AES unless the server enforces it.

We don't want to stop clients from choosing AES-256 if they insist, which is why it stays in the list. And no one's stopping you from disabling all 128 bits ciphers in about:config if you're convinced that 256 bits is better for you.