seiichi-yoshimune
commented
3 years ago Wired Client should ideally autonegotiate the best available cipher available from server and client
better the server should enforce tls v1.3 with forward secrecy, client is out of control.. ie. it could be patched to enforce flawed weak cyphers
Summary:
Improve cryptographic security by deprecating insecure cipher suites and improving key exchange. Including easy short term improvements and longer term suggestions to modernize the available encryption.
Steps to Reproduce:
When creating a bookmark, Wired Client asks for a cipher suite to use for the server connection. Most users are not able to make a secure choice there. (Because most users are not familiar with cryptography and also because there are no fully secure cipher suites available at all.) The available ciphers must be required by the server, not be a client side choice with insecure defaults.
Expected Results:
Wired Client should ideally autonegotiate the best available cipher available from server and client, not ask the user to make a choice they cannot really make in a good manner.
Short term improvement suggestion
Change the default cipher to
RSA - AES/256 - SHA512which ist already implemented and the best available suite at the moment of this writing. It's still not an ideal choice. Reservations regarding CPU load are unwarranted since all CPUs since 2009 support hardware accelerated encryption withAES. In fact,AES256with AES-NI (provided viaopenssl) causes less CPU overhead than Blowfish or 3DES.Near term improvement suggestion
Remove insecure ciphers from client and server, they also give users and admins a false sense of security:
Remove any cipher that still uses SHA1
SHA1is an insecure hashing function that has been deprecated for many years now.RSA - AES/128 - SHA1RSA - AES/192 - SHA1RSA - AES/256 - SHA1RSA - BF/128 - SHA1RSA - 3DES/192 - SHA1Remove any cipher that still uses
BF(Blowfish)Blowfish is even considered insecure and deprecated by its original author (Bruce Schneier).
RSA - BF/128 - SHA1RSA - BF/128 - SHA256RSA - BF/128 - SHA512Remove any cipher hat still uses
3DES(Triple DES)RSA - 3DES/192 - SHA1RSA - 3DES/192 - SHA256RSA - 3DES/192 - SHA512Provide better guidance until auto negotiation handles this is a secure manner.
At the very least, these insecure ciphers should be explicitly marked as deprecated and insecure to encourage users making better choices by hinting them and providing a better default. For example, by putting them into a submenu named
Insecure ciphers.For a future release these ciphers should be removed from the client all together. We should give server operators some heads up so they can change their settings in advance should that be necessary.
Actual Results:
Wired Client requires the user to pick from a list of outdated cipher suites without any guidance. This must be handled by the handshake and server requirements.
Wired Client provides an insecure and outdated default putting users unnecessarily at risk. There's only outdated and some outright insecure ciphers available. (Insecure hashing via
SHA1, insecure/outdated symmetric encryption viaBFand3DES.) There are no modern and secure AEAD cipher suites available. (CHACHA20-POLY1305,AESGCM) There's no modern key exchange mechanism available that provides forward secrecy. (Only PlainRSAbut notECDHEwhich would be provided byopenssl.)Regression:
n/a
Notes:
Secure TLS connections should be using one of the following TLS 1.2/TLS1.3 cipher suites:
ECDHE-RSA-CHACHA20-POLY1305ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES128-GCM-SHA256These cipher suites also implement forward secrecy which is a mandatory property for secure connections these days. These cipher suites also make use of hardware crypto acceleration, like AES-NI provided by intel/AMD CPUs (or NEON on ARM). These suites therefor cause less CPU overhead on servers.
Version Information:
Wired Client 2.5 (56)