[Cryptography] People should turn on PFS in TLS

[ianG]

On 6/09/13 21:11 PM, Perry E. Metzger wrote:
> On Fri, 6 Sep 2013 18:56:51 +0100 Ben Laurie <ben at links.org> wrote:
>> The problem is that there's nothing good [in the way of ciphers]
>> left for TLS < 1.2.
>
> So, lets say in public that the browser vendors have no excuse left
> for not going to 1.2.
>
> I hate to be a conspiracy nutter, but it is that kind of week. Anyone
> at a browser vendor resisting the move to 1.2 should be viewed with
> deep suspicion.
>
> (Heck, if they're not on the government's payroll, then shame on them
> for retarding progress for free. They should at least be charging. And
> yes, I'm aware many of the people resisting are probably doing so
> without realizing they're harming internet security, but we can no
> longer presume that is the motive.)
>
> Chrome handles 1.2, there is no longer any real excuse for the others
> not to do the same.


The sentiment I agree with.  But the record of such transitions is not good.

E.g., Back in September 2009 Ray & Dispensa discovered a serious bug 
with renegotiation in SSL.  According to SSL Pulse, it took until around 
April of this year [0] before 80% of the SSL hosts were upgraded to 
cover the bug.

Which gives us an OODA response loop of around 3-4 years.

And, that was the best it got -- the SSL community actually cared about 
that bug.  It gets far worse in stuff that they consider not to be a 
bug, such as HTTPS Everywhere, TLS/SNI, MD5, browser security fixes for 
phishing, HTTP-better-than-self-signed, HTTPS starting up with its own 
self-signed cert, etc, etc.



iang


[0] it depends on how you measure the 80% mark, though.
PS: More here on OODA loops
http://financialcryptography.com/mt/archives/001210.html
http://financialcryptography.com/mt/archives/001444.html