-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Two more cipher suites which should be disabled #38
Comments
The DHE-Key-Exchange is not broken like the RC4 Cipher. All in all: If you do it right DHE_RSA_AES___SHA is better than RSA_AES___SHA but the best way is to use one of the "GCM Ciphers" with ECDHE Key-Exchange |
Yeah, but this won't change in the near future. In the article of the security researchers it's explained:
EFF also confirms this:
.
Yes, I know. The problem is just that this has to be done on the webserver. From the browser/client perspective you cannot really control this. Of course you can't perform a SSLLabs scan for every site you visit. Another (much better) way would of course be to block this connection based on the DH key size. I've opened a new issue about this: #39 |
@rugk It's easy to add another default list for DHE. The reason why I had made the whole thing customizable is that people can do it themselves.
Please continue this topic in #22. |
Yes, that's why I'm suggesting this. It should not be done automatically, but by themself. In the second case most connections will downgrade to non-Forward-Secrecy ciphers as these are almost always supported. (at least at the part of servers which use 1024bit DH keys) |
Full story: https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
After the Logjam attack - where there where already suspects that 1024 DHE keys are not secure anymore.
Now that's for sure.
That is why these ciphers should be disabled:
So what do you think of including this in the addon?
The text was updated successfully, but these errors were encountered: