Re: Improved TLS Defaults
Hey Daniel,
On 29 January 2014 16:01, Daniel Lowrey <[email protected]> wrote:
> > The Mozilla defaults are geared towards achieving perfect forward
> security
> > where possible ...
> > The RFC, at a minimum, seems a positive change.
>
> Great! This is the goal.
>
I think it's a great goal so we'll see how the RFC goes :P.
> The settings proposed in the RFC are geared towards disallowing anything
> that's unabashedly insecure while still maintaining the broadest possible
> support by default (to minimize BC implications). I realize that Padraic
> isn't suggesting this but I want to state for the record that I don't
> believe it makes sense at this time to try to enforce perfect forward
> security as a language-level default. However, it *is* important to move
> away from the existing naive default and that's what the RFC proposes.
>
You're correct, I'm not suggesting PFS right now but I just wanted to add
context as to where the browser community is headed. While I joked a bit
about Internet Explorer/Safari, Microsoft has been pushing the IETF pretty
hard over it too. Eventually server->server will be the weakest link in the
chain if it doesn't also adopt PFS so let's not dismiss it for the next
decade either ;).
The IETF also has a TLS group setup whose charter is basically to propose
standards on using TLS:
https://datatracker.ietf.org/doc/charter-ietf-uta/.
They are a long
way from publishing anything but its recommendations may
bear on future TLS changes in PHP.
Paddy
--
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative
Thread (19 messages)