suggestion for webserver administrators. [LWN.net]

suggestion for webserver administrators.

Posted Jul 25, 2013 16:31 UTC (Thu) by jeff_marshall (subscriber, #49255)
In reply to: suggestion for webserver administrators. by Richard_J_Neill
Parent article: Feds put heat on Web firms for master encryption keys (CNET)

Regarding your point 1, why are you comparing RC4 to ECDHE? They serve two entirely different purposes: RC4 is a stream cipher used for protecting data once a secret key has been established, and ECDHE is a key agreement algorithm used during key establishment.

Does TLS not support a regular DHE (non-EC) paired with a safe block cipher + mode?

to post comments

suggestion for webserver administrators.

Posted Jul 25, 2013 16:43 UTC (Thu) by Richard_J_Neill (subscriber, #23093) [Link] (1 responses)

I may have caused some confusion here. My understanding is that:

On Apache 2.2, we had a choice between two evils, either ciphers which have forward secrecy (but which are vulnerable to BEAST), or which are immune to BEAST but sacrifice forward-secrecy. The latter is the Apache-2.2 configuration (at least on Ubuntu).

This one is secure, but requires Apache 2.4
ECDHE-RSA-AES128-SHA256

To answer your question, I think the answer is "no" - at least, experimentally, and using the ssllabs test-suite.

suggestion for webserver administrators.

Posted Jul 25, 2013 18:38 UTC (Thu) by jeff_marshall (subscriber, #49255) [Link]

Thanks for the clarification. I think my confusion stemmed from your use of "cipher" vs. "cipher suite"( i.e., ECHDE is a cipher, ECDHE-RSA-AES128-SHA256 is a cipher suite).

Ultimately, the problem appears to stem from the choices of which ciphers are grouped into suites in the SSL/TLS standards- many of the suites either pick a key agreement scheme without forward secrecy or a block cipher + mode vulnerable to BEAST.