Re: Improved TLS Defaults

From: Date: Sun, 02 Feb 2014 00:27:55 +0000
Subject: Re: Improved TLS Defaults
References: 1 2 3 4 5 6 7 8  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi Daniel,

Looking at the openssl output, this eliminates all weak ciphersuites. I'm
testing using the Qualys service at:
https://www.ssllabs.com/ssltest/viewMyClient.html

I have two things to be considered on top of this:

1. If you check the ciphersuite order of the proposed ciphers vs cURL
(current HEAD) vs Mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS),
the ciphers which support perfect forward secrecy are dispersed throughout
the list for the RFC and cURL so numerous non-PRS ciphers will gain
preference over PFS ciphers. PFS has become a big deal recently with people
worried about companies having their private keys stolen or handed over on
foot of a warrant by a three letter agency. I think we should take this
opportunity to follow the trend and that's basically why Mozilla have such
a long explicit ordering in their suite.
2. There has been some questions raised about the efficacy of stronger 256
ciphers vs 128 ciphers. The Mozilla list therefore reorders the ciphers to
prefer the faster 128 ciphers while still maintaining the preference for
PFS first. The base reference for this is:
https://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html.
This
describes an attack valid for AES256 but NOT for AES128. To be fair, the
attack should be beyond anyone's computational resources at this time but
as the old pessimist's view goes, if it breaks once, it'll probably break
again, and again, ad infinitum. So if we were to be extremely cautious,
preferring AES128 would be the ticket.

Looking around, it's clear that choosing a cipher suite is not an easy
task. Mozilla, IE and Chromium all differ. cURL and openssl also differ
from the browsers. cURL recently amended its list away from the openssl
DEFAULT on foot of a security report but I don't think they put sufficient
thought into it and basically relied on openssl's judgement for the most
part. In the absence of openssl amending DEFAULT (which may well happen at
some point - it was reported to them afterall), I think Mozilla has the
better approach.

The other outcome of the Mozilla ciphersuite is that it removes all ciphers
below 128 (there's about 15 or so below that waterline). These are not
reported as weak on the Qualys site or howsmyssl.com, however, so not sure
if it's necessary in our case at this time.

Paddy

--
Pádraic Brady

http://blog.astrumfutura.com
http://phpsecurity.readthedocs.org
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative


Thread (19 messages)

« previous php.internals (#71957) next »