Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two more cipher suites which should be disabled #38

Open
rugk opened this issue Oct 17, 2015 · 4 comments
Open

Two more cipher suites which should be disabled #38

rugk opened this issue Oct 17, 2015 · 4 comments

Comments

@rugk
Copy link

rugk commented Oct 17, 2015

Full story: https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH

After the Logjam attack - where there where already suspects that 1024 DHE keys are not secure anymore.
Now that's for sure.

That is why these ciphers should be disabled:
dhe2

So what do you think of including this in the addon?

@Der-Orden
Copy link
Contributor

The DHE-Key-Exchange is not broken like the RC4 Cipher.
It is "broken" like RSA - just for short Keys.
The Other problem with Logjam is that some groups (primes) are often used, this makes it practicable to pre-calculate the dh-group and no more Forward Secrecy for DHE with the group.
Simple solution: Do not use common DH primes and use the same Keysize for RSA and DHE (2048+ Bit)
Bay the Way: ssllabs tests for "Uses common DH primes" and "DH public server param (Ys) reuse"
Better solution: Use ECDHE.

All in all: If you do it right DHE_RSA_AES___SHA is better than RSA_AES___SHA but the best way is to use one of the "GCM Ciphers" with ECDHE Key-Exchange

@rugk
Copy link
Author

rugk commented Oct 17, 2015

It is "broken" like RSA - just for short Keys.

Yeah, but this won't change in the near future. In the article of the security researchers it's explained:

Since weak use of Diffie-Hellman is widespread in standards and implementations, it will be many years before the problems go away, even given existing security recommendations and our new findings.

EFF also confirms this:

However, 1024-bit Diffie-Hellman remains supported for the forseeable future despite its vulnerability to NSA surveillance.

.

The Other problem with Logjam is that some groups (primes) are often used, this makes it practicable to pre-calculate the dh-group and no more Forward Secrecy for DHE with the group.
Simple solution: Do not use common DH primes and use the same Keysize for RSA and DHE (2048+ Bit)
Bay the Way: ssllabs tests for "Uses common DH primes" and "DH public server param (Ys) reuse"
Better solution: Use ECDHE.

Yes, I know. The problem is just that this has to be done on the webserver. From the browser/client perspective you cannot really control this. Of course you can't perform a SSLLabs scan for every site you visit.
But hey we're at Ssleuth so at least displaying and evaluating the DH key size could be done... --> So I found this issue: #22


Another (much better) way would of course be to block this connection based on the DH key size. I've opened a new issue about this: #39

@sibiantony
Copy link
Owner

@rugk It's easy to add another default list for DHE. The reason why I had made the whole thing customizable is that people can do it themselves.
However,

  1. Firefox doesn't expose the DHE key sizes as of now. And that means blocking all DHE suites will also block the 2048+ bits ones.
  2. Some websites do only support DHE (no ECDHE etc.), and disabling the suites from the browser can break the connections.

Please continue this topic in #22.

@rugk
Copy link
Author

rugk commented Oct 19, 2015

The reason why I had made the whole thing customizable is that people can do it themselves.

Yes, that's why I'm suggesting this. It should not be done automatically, but by themself.
I just though this would be a nice default list - so it's much easier to disable the ciphers for new users. Additionally they may be made aware that something with this ciphers is wrong. (To do this in a better way it would of course be good to show a kind of description and/or link in the default lists there, for more information)

In the second case most connections will downgrade to non-Forward-Secrecy ciphers as these are almost always supported. (at least at the part of servers which use 1024bit DH keys)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants