Display individual scores of cipher (separate CBC and SHA1 in UI)

[rugk]

AES GCM is authenticated encryption and should therefore be considered more secure than AES CBC.

See:

• Why is CBC with predictable IV considered insecure against CPA

[sibiantony]

It is already. AES GCM gets the highest (10/10) and AES CBC (8/10) comes next.
Check cipher-suites.js
These figures are approximate and not quantifiable by any means.

[rugk]

Really? So let's take this test site: https://cbc.badssl.com/

It gets 7.8, but as far as I know it only does not get 9, because of the SHA-1 HMAC. (at least this is the only thing, whcih is indicated to be "weak" in the GUI).

[sibiantony]

Well, I meant not-quantifiable for the figures defined in cipher-suites.js. Like you could ask why 10/10 for GCM and 8/10 for AES-CBC there's no 'measurable' method I can give. The overall ratings are computed of-course! :)

It gets 7.8, but as far as I know it only does not get 9, because of the SHA-1 HMAC. (at least this is the only thing, whcih is indicated to be "weak" in the GUI).

Nope. If it was AES-GCM with a SHA1 HMAC (Well, there isn't a cipher-suite like that, but lets say there is), it could have been 3.0/4. The rating against the cipher suite is a weighted sum of key exchange, bulk cipher and hmac (weights being 3, 3, and 4 respectively). This figure is further 'normalized' for a score out of 4. Whcih is where it gets a 2.8 out of 4. Try the math yourself.
You could also go to the preferences page -> Connection ranking -> Set key exchange, HMAC values to 0, bulk cipher to 10 -> Apply. Now Ciphersuite scores are only that of the bulk cipher. Switch between a page offering AES CBC and GCM, and you can easily spot the difference.

[rugk]

So, if I understand it correctly:

• CBC lowers the score
• SHA1 lowers the score

But I have a UI/UX issue in this case: I cannot see (without my own calculations or something like that) whether the lower score is caused by the first or second "parameter". Because the grey "sum" displayed at the right shows the score of the whole cipher, so no one can see what exact "part" of the cipher caused the lower score.
However when SHA-1 is used there is another grey message stating "Reportedly weak", so this lets the user know that SHA-1 is insecure. However there is no message for the CBC mode, so the user may think the CBC mode in the cipher is all right and the only thing which causes the score to reduce is the SHA-1 HMAC.
Basically this is what I thought... 😶

[sibiantony]

Indeed, the UI doesn't display the individual scores computed for the parameters in cipher suite. Had thought about that many times, but was never a priority.
That should qualify as another feature request. If you don't have any more questions on this one, I will close this issue.

[rugk]

I've just renamed this issue.