[Cryptography] People should turn on PFS in TLS

The Doctor drwho at virtadpt.net
Fri Sep 6 20:34:04 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2013 01:13 PM, Perry E. Metzger wrote:

> Google is also now (I believe) using PFS on their connections, and 
> they handle more traffic than anyone. A connection I just made to 
> https://www.google.com/ came out as, TLS 1.2, RC4_128, SHA1, 
> ECDHE_RSA.

There may be limits to how far they've deployed PFS on their
user-facing services around the world at this time.  I just accessed
encrypted.google.com and Gmail from home, and here's what the Calomel
SSL Validation add-on for Firefox (with HTTPS Finder and
HTTPS-Everywhere, verified manually) and is telling me:

Symmetric cipher RC4 (weak 10/49)
Symmetric key length 128 bits (weak 8/19)
Cert issued by Google, Inc, US SHA-1 with RSA @ 2048 bit (MODERATE 2/6)

Manually keying https://www.google.com/ into my browser returned the
same thing.

Gmail shows me this:
Symmetric cipher RC4 (weak 10/39)
Symmetric key length 128 bits (weak 8/19)
Cert issued by Google, Inc, US SHA-1 with RSA @ 2048 bit (MODERATE 2/6)

https://www.google.com/analytics is returning the same as Gmail.

Let's contrast this with ChaosPad:
Symmetric cipher Camellia (STRONG 39/39)
Symmetric key length 256 bits (STRONG 19/19)
Cert issued by CAcert, Inc. SHA-1 with RSA @ 4096 bit (MODERATE 2/6)

I'd be very interested in what other people see where they are.
Alternatively, my browser's SSL/TLS configuration could be hosed, in
which case I'm completely off base and probably need to torch my
browser profile and start over.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Be the strange that you want to see in the world." --Gareth Branwyn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIqdHwACgkQO9j/K4B7F8Ez8QCg0BvBhYA5EFVrTRwEqUCJFh0Y
Pd8AoJGg5Zg+sKL4NdK76JxcwT1Yvcmb
=T/D2
-----END PGP SIGNATURE-----


More information about the cryptography mailing list