Re: Action Item 18 - understand/visualize the strength of SSL from Yngve N. Pettersen (Developer Opera Software ASA) on 2006-12-08 (public-wsc-wg@w3.org from December 2006)

From: Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com>
Date: Fri, 08 Dec 2006 12:06:35 +0100
To: "Thomas Roessler" <tlr@w3.org>, "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: "George Staikos <staikos" <staikos@kde.org>, "W3 Work Group" <public-wsc-wg@w3.org>
Message-ID: <op.tj8mg9tvqrq7tp@nimisha.invalid.invalid>

On Fri, 08 Dec 2006 06:54:02 +0100, Thomas Roessler <tlr@w3.org> wrote:

>
> On 2006-12-07 18:11:04 -0500, Mary Ellen Zurko wrote:
>
>> While I do not believe "raw" information about SSL strength to be
>> usable (for the general populace; it might have a place on some
>> sort of "more details" area), recommendations on removing ciphers
>> would be out of our charter.
>
> Agree for specific ciphers.
>
> However, I could imagine a recommendation that says "don't bother
> users with cipher strength; if you think a cipher is so weak you
> need to warn users about it, you probably don't want to implement it
> in the first place."

That might not be practical for a deployed protocol, although it might be  
for a new protocol (although, IMO new protocols should not define weak  
ciphers).

Early last year we had the situation that we wanted to disable both SSL v2  
and the 40 and 56 bit ciphers, but couldn't because several important  
sites were (still) using them. In fact, there's been important sites (see  
links below) that until recently still continued to use 40 and 56 bit  
ciphers. In Opera 8 we settled for warning the user about the weak  
security level, in Opera 9 we disabled them.

There is a second aspect to this, variable length encryption methods, like  
RSA, which also have weak keylengths. Opera is currently warning about  
RSA/DH/DSA keys that are shorter than 900 bits, and we are lowering the  
security level by one point if the key is shorter than 1000 bits.

However, we continue to learn of websites that are using certificates with  
512 bit RSA keys, and we also see a number of servers that support  
Ephermal DH but select a key shorter than 900 bits (one actually sent a  
256 bit DH key).

In this case we can either warn the user, or refuse to connect; we cannot  
remove the method.

For more about what we have seen in this area please see my articles <URL:  
http://my.opera.com/yngve/blog/show.dml/382945 > and <URL:  
http://my.opera.com/yngve/blog/show.dml/450368 >.

-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Friday, 8 December 2006 11:06:56 UTC