On 23/09/15 06:26, Georgi Guninski wrote:
On Tue, Sep 22, 2015 at 09:27:43AM -0500, Brent Cook wrote:
Sounds like the next step is to remove curves <= 193 bits, and learn from what breaks as a result.
I believe this will break some CA certs trusted by major browsers and in particular will break some browsing.
Yes, that is a big problem with SSL and TLS. The desire for backwards compatibility and cipher agility means that the little padlock in the browser doesn't actually mean very much - the suite in use might be so weak as to be no better than unauthenticated plaintext. More, the average user doesn't usually have a clue what's going on - How secure is the suite in use? Does the suite in use have forward security? Is there any authentication? Is the authentication reliable? Is there any encryption? Is it actually secure in any way? - these are questions the average user cannot answer. Heck, I can't answer them most of the time without digging into the innards of the session. Backwards compatibility and cipher agility also permit cipher suite choice degradation attacks like FREAK and logjam, where weak suites are forced on the user. To be secure, cipher agility absolutely requires that weak or broken ciphers can be effectively and definitively eliminated from use - but there is no real mechanism in SSL/TLS for doing that. One solution is - in TLS3 abolish cipher agility, and have only one suite: call it Jim's suite. The little padlock in the browser now says "protected by Jim". Everybody now knows what that means, or can find out. The meaning doesn't change according to things going on in the computer which the ordinary guy has no clue about. After a few years, when Jim's suite is getting a little iffy, introduce Tom's suite in TLS4. Depreciate Jim's suite, then remove it. People shouldn't really be rewriting libreSSL - they should be writing libreTLS3 instead, with no cipher suite agility. Apart from anything else, with only one suite and one protocol, that should be a lot easier to do. ps is there an archive of libreSSL@openbsd anywhere? -- Peter Fairbrother