Remove Legacy TLS Ciphersuites from Initial Handshake by Default

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Remove Legacy TLS Ciphersuites from Initial Handshake by Default

nellie.petrie
I am using Marlene Pratt's "Proposal to Remove legacy TLS Ciphersuits Offered by Firefox" from 13 Dec 2013 on dev-tech-crypto mailing list as a guideline.

I present a proposal to remove some legacy ciphersuites from the initial handshake presented by Firefox.

In Firefox 36, we have removed RC4 from the initial handshake, as well as implemented a secondary/fallback handshake for badly configured servers.

I have read the updated version of best current practices regarding Recommendations for Secure Use of TLS and DTLS:

https://tools.ietf.org/html/draft-ietf-uta-tls-bcp-11

These are the default available ciphersuites in Firefox 36.0:

C02B  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
C02F  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
C00A  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
C009  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
C013  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
C014  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0033  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
0032  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
0039  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
002F  TLS_RSA_WITH_AES_128_CBC_SHA
0035  TLS_RSA_WITH_AES_256_CBC_SHA
000A  TLS_RSA_WITH_3DES_EDE_CBC_SHA

I propose removal of the following ciphersuite:

0032  TLS_DHE_DSS_WITH_AES_128_CBC_SHA

because DSS (the non-EC version) is obsolete, and based on preliminary telemetry and Pulse data is not being negotiated at all with any servers out there. My testing indicates that there are no public nor private servers that would support only this ciphersuit - please provide some data if you think otherwise.

I also propose removing the following ciphersuit:

000A  TLS_RSA_WITH_3DES_EDE_CBC_SHA

because 3DES is a cipher that requires too much computing power compared to AES, much more computer memory, lacks hardware acceleration on servers, is rarely negotiated, has had its bitstrenght reduced below 128bits, and its removal is on track with avoiding (and eventually removing) RSA key exchange. Additionally, the servers that support (or even prefer!) 3DES always support some AES ciphersuit too.

This would bring the list of presented ciphersuites down to:

C02B  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
C02F  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
C00A  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
C009  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
C013  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
C014  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0033  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
0039  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
002F  TLS_RSA_WITH_AES_128_CBC_SHA
0035  TLS_RSA_WITH_AES_256_CBC_SHA

The secondary/fallback handshake can still offer the ciphersuites proposed for removal. Main point is we want to show servers that we intend to keep the list of supported ciphersuites modern and secure.

The benefits of this change remain the same as in Marlene Pratt's original proposal. Given that it took 10 (ten) Firefox versions (from Firefox 26 to Firefox 36) to implement the previous proposal, now is a good time to start talking about this new proposal. Hopefully it will not take until Firefox 46 to have it implemented.
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Remove Legacy TLS Ciphersuites from Initial Handshake by Default

Kosuke Kaizuka
On 2015/02/28 10:03, [hidden email] wrote:
> I propose removal of the following ciphersuite:
>
> 0032  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>
> because DSS (the non-EC version) is obsolete, and based on preliminary telemetry and Pulse data is not being negotiated at all with any servers out there. My testing indicates that there are no public nor private servers that would support only this ciphersuit - please provide some data if you think otherwise.

TLS_DHE_DSS_WITH_AES_128_CBC_SHA has been already removed from Fx 37 by
Bug 1073867 and 1114295.

https://bugzilla.mozilla.org/show_bug.cgi?id=1073867
https://bugzilla.mozilla.org/show_bug.cgi?id=1114295

>
> I also propose removing the following ciphersuit:
>
> 000A  TLS_RSA_WITH_3DES_EDE_CBC_SHA
>
> because 3DES is a cipher that requires too much computing power compared to AES, much more computer memory, lacks hardware acceleration on servers, is rarely negotiated, has had its bitstrenght reduced below 128bits, and its removal is on track with avoiding (and eventually removing) RSA key exchange. Additionally, the servers that support (or even prefer!) 3DES always support some AES ciphersuit too.

Some of old servers offer only TLS_RSA_WITH_3DES_EDE_CBC_SHA and
TLS_RSA_WITH_RC4_SHA. If TLS_RSA_WITH_3DES_EDE_CBC_SHA is removed,
TLS_RSA_WITH_RC4_SHA will be used.

--
Kosuke Kaizuka <[hidden email]>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Remove Legacy TLS Ciphersuites from Initial Handshake by Default

Kurt Roeckx
In reply to this post by nellie.petrie
On 2015-02-28 04:15, Kosuke Kaizuka wrote:
>> I also propose removing the following ciphersuit:
>>
>> 000A  TLS_RSA_WITH_3DES_EDE_CBC_SHA
>>
>> because 3DES is a cipher that requires too much computing power compared to AES, much more computer memory, lacks hardware acceleration on servers, is rarely negotiated, has had its bitstrenght reduced below 128bits, and its removal is on track with avoiding (and eventually removing) RSA key exchange. Additionally, the servers that support (or even prefer!) 3DES always support some AES ciphersuit too.
>
> Some of old servers offer only TLS_RSA_WITH_3DES_EDE_CBC_SHA and
> TLS_RSA_WITH_RC4_SHA. If TLS_RSA_WITH_3DES_EDE_CBC_SHA is removed,
> TLS_RSA_WITH_RC4_SHA will be used.

Yes, we do want to use 3DES with those servers and not RC4.


Kurt


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Remove Legacy TLS Ciphersuites from Initial Handshake by Default

Hubert Kario
In reply to this post by nellie.petrie
On Saturday 28 February 2015 01:03:39 [hidden email] wrote:

> I am using Marlene Pratt's "Proposal to Remove legacy TLS Ciphersuits
> Offered by Firefox" from 13 Dec 2013 on dev-tech-crypto mailing list as a
> guideline.
>
> I present a proposal to remove some legacy ciphersuites from the initial
> handshake presented by Firefox.
>
> In Firefox 36, we have removed RC4 from the initial handshake, as well as
> implemented a secondary/fallback handshake for badly configured servers.
>
> I have read the updated version of best current practices regarding
> Recommendations for Secure Use of TLS and DTLS:
>
> https://tools.ietf.org/html/draft-ietf-uta-tls-bcp-11
>
> These are the default available ciphersuites in Firefox 36.0:
>
> C02B  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> C02F  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> C00A  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> C009  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> C013  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> C014  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> 0033  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> 0032  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> 0039  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> 002F  TLS_RSA_WITH_AES_128_CBC_SHA
> 0035  TLS_RSA_WITH_AES_256_CBC_SHA
> 000A  TLS_RSA_WITH_3DES_EDE_CBC_SHA
>
> I propose removal of the following ciphersuite:
>
> 0032  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>
> because DSS (the non-EC version) is obsolete, and based on preliminary
> telemetry and Pulse data is not being negotiated at all with any servers
> out there. My testing indicates that there are no public nor private
> servers that would support only this ciphersuit - please provide some data
> if you think otherwise.
>
> I also propose removing the following ciphersuit:
>
> 000A  TLS_RSA_WITH_3DES_EDE_CBC_SHA
>
> because 3DES is a cipher that requires too much computing power compared to
> AES, much more computer memory, lacks hardware acceleration on servers, is
> rarely negotiated, has had its bitstrenght reduced below 128bits, and its
> removal is on track with avoiding (and eventually removing) RSA key
> exchange. Additionally, the servers that support (or even prefer!) 3DES
> always support some AES ciphersuit too.
Not true. In Alexa top 1 million I found at least 439 servers which support
only 3DES and have valid certificates. If Firefox removes RC4, I'm sure that
this will make this number effectively only larger (80% of servers still
support RC4, 15% prefer RC4 over any and all ciphers).
 
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Remove Legacy TLS Ciphersuites from Initial Handshake by Default

Kurt Roeckx
In reply to this post by nellie.petrie
On 2015-03-02 13:32, Hubert Kario wrote:
>
> Not true. In Alexa top 1 million I found at least 439 servers which support
> only 3DES and have valid certificates. If Firefox removes RC4, I'm sure that
> this will make this number effectively only larger (80% of servers still
> support RC4, 15% prefer RC4 over any and all ciphers).

Please note that since 36 (released last week) RC4 is not offered in the
initial connection anymore.  See:
https://developer.mozilla.org/en-US/Firefox/Releases/36#Security
https://bugzilla.mozilla.org/show_bug.cgi?id=1088915


Kurt

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Remove Legacy TLS Ciphersuites from Initial Handshake by Default

Hubert Kario
On Monday 02 March 2015 13:51:24 Kurt Roeckx wrote:

> On 2015-03-02 13:32, Hubert Kario wrote:
> > Not true. In Alexa top 1 million I found at least 439 servers which
> > support
> > only 3DES and have valid certificates. If Firefox removes RC4, I'm sure
> > that this will make this number effectively only larger (80% of servers
> > still support RC4, 15% prefer RC4 over any and all ciphers).
>
> Please note that since 36 (released last week) RC4 is not offered in the
> initial connection anymore.  See:
> https://developer.mozilla.org/en-US/Firefox/Releases/36#Security
> https://bugzilla.mozilla.org/show_bug.cgi?id=1088915
And those stats were from 36 only?

Anyway, Firefox still accepts 2048 bit RSA keys, which have approximately the
same security margin as 3DES. Dropping 3DES won't make the connections more
secure while it will cause connection problems to Windows 2k3 servers.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

signature.asc (836 bytes) Download Attachment