[Cryptography] People should turn on PFS in TLS
Ralph Holz
ralph-cryptometzger at ralphholz.de
Fri Sep 6 14:00:01 EDT 2013
Hi,
>>> It would be good to see them abandon RC4 of course, and soon.
>>
>> In favour of what, exactly? We're out of good ciphersuites.
>
> I thought AES was okay for TLS 1.2? Isn't the issue simply that
> Firefox etc. still use TLS 1.0? Note that this was a TLS 1.2
> connection.
Firefox has added TLS 1.2 two or three weeks ago, and TLS 1.2 does
indeed protect against BEAST, CRIME, Lucky 13 (but not against BREACH, I
recall).
However, my guess would be that too many Apaches out there are linked to
older openssl versions that do not yet support TLS 1.1 or TLS 1.2.
I have found this a good write-up:
https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf
Ralph
More information about the cryptography
mailing list