[Cryptography] TLS 1.0, Diffie-Hellman, RSA, AES128 CBC, SHA seriously qualified as «broken»?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Aug 30 03:09:27 EDT 2020

Thierry Moreau <thierry.moreau at connotech.com> writes:

>Am I too old to craft an apache/openssl secure configuration?

It's not you, it's me... I mean, it's the SSL assessment tool.  There are a
pile of these around, and in general they're about 50% checking for known,
real security problems and 50% checking that you're making the fashion
statement that the creator of the tool believes everyone should be making this
year.  For example recently I ran into a large B2B site that most of the time
would immediately drop the connection on seeing a client hello, and at other
times would drop it after going through the crypto handshake.  Extensive
fingerprinting turned up the fact that the site's idea of "secure", apart from
running ~12-year-old server software, means a large list of RSA-only suites
(but they're secure because we use 2048-bit RSA), a much smaller list of ECDSA
suites, and nothing else.  So you've got the choice between the least secure
keyex mechanism provided by the protocol (pure RSA) and the endlessly
vulnerability-plagued ECC suites (the latest papers on private-key-leaking
vulns are only a few weeks old), but no DHE at all.  Someone's security best
practices doc apparently told them to do this.

>Your connection to this website uses weak encryption and is not private.
>Other people can view your information or modify the website's behavior.
>Information sent over the Internet without encryption can be seen by other
>people while it is in transit.

"This site is not virtue-signalling in a manner that we approve of.  We will
therefore decry AES-128 and HMAC-SHA1, both unbroken, as insecure until they
perform the appropriate level of virtue signalling".

To quote Linus on the difference between kernel scheduler design and security:

>   So the
>   difference between them is simple: one is 'hard science'. The other one is
>   'people wanking around with their opinions'."

(and yes, that includes this post).


More information about the cryptography mailing list