[Cryptography] TLS 1.0, Diffie-Hellman, RSA, AES128 CBC, SHA seriously qualified as «broken»?

Amarendra Godbole amarendra.godbole at gmail.com
Mon Sep 14 13:43:08 EDT 2020


On Sun, Aug 30, 2020 at 8:48 PM Mike via cryptography
<cryptography at metzdowd.com> wrote:
>
> On 8/29/2020 5:16 PM, Thierry Moreau wrote:
> > Hi,
> >
> > [snip]
> > In essence, it appears to work as intended.
> >
> > The Firefox version 76.0.1 reported «TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> > 128 bit keys, TLS 1.0» as the technical details for the security of the
> > web page.
> >
> > In essence, it appears to work as intended ... but
> >
> > The firefox browser qualifies this as «broken encryption». «Your
> > connection to this website uses weak encryption and is not private.
> > Other people can view your information or modify the website's behavior.
> > Information sent over the Internet without encryption can be seen by
> > other people while it is in transit.»
> >
> > And the security icon on the left of the URL entry field is yellow.
> >
> > Then what?
> > [snip]
>
> I find this site to be a good starting point.  It provided me with
> enough of an understanding that I knew what I needed to look into and
> research more deeply.  YMMV.  :)
>
> https://wiki.mozilla.org/Security/Server_Side_TLS
[...]

<soapbox>
The security industry suffers from the same "magical potions"
syndrome, and everyone wants quick solutions and knobs to their
security issues. That drives these crazy (to some extent) "security
checkers", compliance requirements, and more and more humans
willing/wanting to do less and less work. Very few realize actual
security work is incredibly dull and boring, and doesn't involve knobs
but requires a lot of careful planning, and a thoughtful
implementation to get stuff right.
</soapbox>

Well, the only thing you can do is change the configuration to the
liking of the "virtue signaling machine", else you'd be cancelled! :-P
Of course, if it is your setup, designed and operated by you alone,
then there is a lot of flexibility in terms of educating yourself and
deciding which configuration is actually secure. If it is a customer,
then you are mostly out of luck - compliance with the virtue signaling
machine is mandatory (most of the time).

-ag


More information about the cryptography mailing list