[146674] in cryptography@c2.net mail archive
Re: [Cryptography] People should turn on PFS in TLS
daemon@ATHENA.MIT.EDU (Ralph Holz)
Fri Sep 6 14:32:46 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 06 Sep 2013 20:00:01 +0200
From: Ralph Holz <ralph-cryptometzger@ralphholz.de>
To: cryptography@metzdowd.com
In-Reply-To: <20130906132421.162f33ae@jabberwock.cb.piermont.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Hi,
>>> It would be good to see them abandon RC4 of course, and soon.
>>
>> In favour of what, exactly? We're out of good ciphersuites.
>
> I thought AES was okay for TLS 1.2? Isn't the issue simply that
> Firefox etc. still use TLS 1.0? Note that this was a TLS 1.2
> connection.
Firefox has added TLS 1.2 two or three weeks ago, and TLS 1.2 does
indeed protect against BEAST, CRIME, Lucky 13 (but not against BREACH, I
recall).
However, my guess would be that too many Apaches out there are linked to
older openssl versions that do not yet support TLS 1.1 or TLS 1.2.
I have found this a good write-up:
https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf
Ralph
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
