COMPATIBILITY, SECURITY & PERFORMANCE FINDING A BALANCE WITH SSL / TLS THAT DOESN’T EXIST sam gammon sam @ keen dot io
Compatibility, Security & Performance: Finding a Balance With SSL / TLS That Doesn't Exist
May 10, 2015
General overview of TLS and SSL on today's internet, with tips about how you can protect your website with strong and unbroken cipher configurations.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
COMPATIBILITY, SECURITY & PERFORMANCE FINDING A BALANCE WITH SSL / TLS
THAT DOESN’T EXIST
sam gammon sam @ keen dot io
I AM A SECURITY ENGINEER.
I AM A SECURITY ENGINEER. !
I AM A GUY WHO HAS SPENT WAY TOO MUCH TIME WORRYING
ABOUT GIBBERISH
(THERE ARE NO WORDS THERE)
I AM A SECURITY ENGINEER. !
I AM A GUY WHO HAS SPENT WAY TOO MUCH TIME WORRYING
ABOUT GIBBERISH
!I DON’T KNOW MUCH ABOUT THE MATHS
BEHIND ENCRYPTION.
I AM A SECURITY ENGINEER. !
I AM A GUY WHO HAS SPENT WAY TOO MUCH TIME WORRYING
ABOUT GIBBERISH
!I DON’T KNOW MUCH ABOUT THE MATHS
BEHIND ENCRYPTION.
I DO KNOW HOW YOU CAN PROTECT YOUR APPS IN THE REAL WORLD.
agenda:
1) alice & bob: a short note on asymmetric algorithms
2) intro to SSL/TLS on today’s internet
3) tour of the secure web, from the perspective of a lowly cipher line
4) next-gen ciphers and features
5) useful tools
6) Q&A and story time !!!
Alice & Bob Asymmetric vs. Symmetric Encryption
intro to TLS
here is the OSI model !
my protocols, let me show you them
!
ARP/L2TP
Bluetooth/Ethernet
IP / ICMP
TCP / UDP
SOCKS / SPDY
MIME
HTTP / DNS
a regular HTTP request uses these
!
IP
TCP
HTTPGET /home HTTP/1.1!Host: keen.io!Connection: keep-alive!Cache-Control: no-cache!Accept-Encoding: gzip,deflate,sdch!Accept-Language: en-US,en;q=0.8!
SYN SYN-ACK!ACK
packets!
OSI model !
IP
TCP
HTTP “request”“response”
“connection”
“address”
OSI model !
IP
TCP
HTTP nginx /haproxy
haproxy /!OS (linux)
OS (linux)
1gBASEe (Ethernet)
OSI model !
IP
TCP
TLS
HTTP
OSI model !
IP
TCP
HTTP nginx /haproxy
haproxy /!OS (linux)
OS (linux)
1gBASEe (Ethernet)
TLS openSSL
OSI model !
IP
TCP
TLS
HTTP
HTTPS{
TLS has its own handshake…
TLS has its own handshake…
1) client says hello - passes a list of supported ciphers - in priority order - other capabilities like SNI
2) server says hello - passes a list of supported ciphers - in priority order - passes certificate chain - other capabilities like NPN/ALPN
n) they agree and connect - a cipher is chosen! - a protocol is selected! - keys are exchanged!
… awhile later …
elements of a cipher spec
key exchange standard cipher symmetric
size brokenness
ECDHE TLSv1.2 AES-GCM 128: fast256: strong
“no reason to believe it’s not broken… yet”
DHE TLSv1 AES-GCM 128: fast256: strong
“could be broken if you’re not
careful”
— SSLv3 RC4 140, that’s all you get foo
“well, fuck it. it’s definitely broken, at least break fast?”
Tools
Testing: Qualys !
1) Awesome for experimenting with settings!2) Great for detecting issues!3) Pretty reports!
Testing: Qualys !
1) Awesome for experimenting with settings!2) Great for detecting issues!3) Pretty reports!4) Fantastic compatibility simulator
Diagnostics: OpenSSL !
1) Tools for generating keys /certificates!
2) openssl s_client for SSL client testing!3) openssl ocsp for OCSP testing
4) Benchmark your ciphers with openssl speed
Diagnostics: Wireshark !
1) Extremely powerful!2) Kind of outside the scope of this talk!3) Can be configured with your private key/cert to decrypt traffic
4) See traffic at all levels! (ARP, IP, TCP, TLS, DNS & HTTP)
Always: yer favorite browser !
CIPH3R$!!1!
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
THIS IS A CIPHER LINE.IT’S BASICALLY A LIST OF YOUR FAVORITE<3 CIPHERS
AND ALSO THE ONES YOU HATE
ssl_ciphers “ 1 ECDHE-RSA-AES128-GCM-SHA256 2 ECDHE-RSA-AES256-GCM-SHA384 3 ECDHE-RSA-AES128-SHA256 4 ECDHE-RSA-AES256-SHA384 5 ECDH-RSA-AES128-SHA256 6 ECDH-RSA-AES256-SHA384 7 DHE-RSA-AES128-GCM-SHA256 8 DHE-RSA-AES256-GCM-SHA384 9 ECDHE-RSA-RC4-SHA 10 ECDHE-RSA-AES128-SHA 11 ECDHE-RSA-AES256-SHA 12 ECDH-RSA-RC4-SHA 13 RC4-SHA 14 DHE-RSA-AES128-SHA 15 AES256-SHA 16 AES128-SHA 17 !ECDSA !DSA 18 !3DES !aNULL !eNULL !SEED 19 !MD5 !EXP !PSK !SRP !DSS !LOW “;
IT’S RANKED FROM TOP TO BOTTOM
THEY COME IN ALL SHAPES AND SIZES
ciphers AES:ALL:!aNULL:!eNULL
ssl_ciphers SSL_RSA_WITH_RC4_128_MD5 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128__SHA TLS_ECDH_RSA_WITH_RC4_128_SHA;
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
tls.createServer({ ! ciphers: “AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH” !}, …);
<cipherSpecList> <cipherSpec> <cipher>RC4</cipher> <hash>SHA256</hash> <exchange>ECDHE</exchange> …
EVERY HTTPS SERVER HAS ONE
ciphers AES:ALL:!aNULL:!eNULL
ssl_ciphers SSL_RSA_WITH_RC4_128_MD5 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128__SHA TLS_ECDH_RSA_WITH_RC4_128_SHA;
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
tls.createServer({ ! ciphers: “AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH” !}, …);
<cipherSpecList> <cipherSpec> <cipher>RC4</cipher> <hash>SHA256</hash> <exchange>ECDHE</exchange> …
THE SECURITY OF YOUR SITEDEPENDS LARGELY ON"THE ORDER OF THESEARBITRARYTOKENS."!:(
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
DO NOT WANTMD5 is broken
eNULL means no encryption at all!!
aNULL means good luck no auth
LOW is like 40-bit only! gross
LOW is like 40-bit only! gross
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
these ones are chill*but usually there’s no support for them
client… or server side
*the NSA invented them though so if you!are paranoid don’t use ‘em
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
instead, we’ll be talking about RSA stuff today!(mostly)*
*RSA algos were made by a corporation!of the same name paid by the NSA to!weaken their algorithms.!so if you’re paranoid, write your own encryption because all of them have"the NSA’s fingerprints
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
these are for old!browsersspecifically, SSLv3all of them are “broken”some are more broken!than others, though
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
old versions of AES expose!you to the BEAST attack,!because of CBC mode
that’s why these ciphers!are the least desired
if you can get away with it,!turn them off
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
these are for old!browsersRC4 is broken too, but!only by the NSA
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
these are for old!browsersRC4 is broken too, but!only by the NSAsince it’s less likely the NSA!will be after your data!(compared to some rando!with knowledge of BEAST),!RC4 is slightly less bad
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
THERE IS ONLY!ONE GIFT YOU GETWITH TLS!ON TODAY’S INTERNET
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
Forward Secrecy! :)
without forward secrecy…
with forward secrecy…
1) client says hello - passes a list of supported ciphers - in priority order - other capabilities like SNI
2) server says hello - passes a list of supported ciphers - in priority order - passes certificate chain - other capabilities like NPN/ALPN
n) they agree and connect - a cipher is chosen! - a protocol is selected! - keys are exchanged!
… awhile later …
… awhile later …
3) Generate ephemeral forward secrecy key
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
these are for TLS 1.0RC4 is still prioritizedAES is still broken :(
BEAST, CRIME, BREACH (mostly compression attacks)
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
GCM is unbroken! Yay!
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
AES is unbroken inTLS 1.2, but only because of compression, explicit IV,and forward secrecy
ssl_ciphers “ ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDH-RSA-RC4-SHA RC4-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA !ECDSA !DSA !3DES !aNULL !eNULL !SEED !MD5 !EXP !PSK !SRP !DSS !LOW “;
The future!
OCSP Stapling !
1) OCSP is a way to verify certificate validity and health
2) Certs can be “invalidated” by providers when they are breached!!3) “Stapling” a verifiably-valid OCSP response to an HTTP response can optimize the process significantly!
ECC & DSA Certificates !
1) ECC is an alternate key structure to RSA or DSA
2) ECC keys are “faster” to compute/sign/verify, and! “stronger” than RSA and DSA at “smaller” key sizes!!3) Almost nobody supports it (CA’s and browsers both) CA’s: Symantec is the only one I’ve found Browsers: the usual modern suspects (Webkit/Blink/SpiderMonkey/barely any Trident)!
ECC & DSA Certificates !
structure security vs. complexity factor
AES-128 equivalent maths
ECC linear 256-bit elliptic curves
DSA exponential 3,072-bit finite fields
RSA exponential 3,072-bit integer factorization
Salsa20 / Poly1305 !
1) These are new ciphers from Google
2) They haven’t been chill enough to share ‘em yet*!!3) Salsa20 is a new stream cipher (replaces RC4!) that is fast"!4) Poly1305 is a MAC algorithm that can wrap any reliable! symmetric cipher (AES being broken won’t fail us again)5) Would be great to have server-side but only Chrome supports this stuff yet
*there might be some patches for OpenSSL that may or may not work in the Chromium source tree… :)
AES-GCM Support !
1) GCM-based algorithms were only introduced in TLSv1.2
2) Chrome (>=31) is all good, so are Firefox and Safari 3) IE 11 is all good (sometimes)!!3) >=iOS 5 should have it, Android "!4) Java support is spotty
Q&A / Experiences
Related Documents
