RE: Action Item 18 - understand/visualize the strength of SSL from Doyle, Bill on 2006-12-08 (public-wsc-wg@w3.org from December 2006)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Fri, 8 Dec 2006 08:58:33 -0500
To: "Thomas Roessler" <tlr@w3.org>, "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: "George Staikos <staikos" <staikos@kde.org>, "W3 Work Group" <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801301A53@IMCSRV5.MITRE.ORG>

Agree that providers "should not" implement weak ciphers, but it is up
to the provider to properly configure the servers to negotiate the use
of medium or high strength ciphers. It may also be informational to the
user if the site complies with NIST standards and is FIPS 140-2
compliant. If a use is on a banking site, it may be useful to know if
the bank implements NIST cryptographic standards noted as Low, Medium
and High robustness.

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

In reading replies I can think of two situations where low grade cipher
suites can be negotiated and impact the user.

1. A site is improperly configured and the browser negotiates a lower
grade cipher suite in order to complete the connection.

This can happen on a "trusted" site due to a botched upgrade, improper
configuration change or due to a system compromise.

2. A site has not upgraded is security cipher suite.
	a. the user may care, data needs to be secure.
	b. the user may not care, the risk is low, the data does not
need to be secure.

My feeling is that if the browser blocks the site and does not provide
feedback as to why and how to proceed, the user will find another
browser that works and will stop using the "broken" browser. If
feedback is not provided, the user learns nothing other than a
particular browser blocked the site.

Bill Doyle
wdoyle@mitre.org

-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Thomas Roessler
Sent: Friday, December 08, 2006 12:54 AM
To: Mary Ellen Zurko
Cc: George Staikos <staikos; W3 Work Group
Subject: Re: Action Item 18 - understand/visualize the strength of SSL

On 2006-12-07 18:11:04 -0500, Mary Ellen Zurko wrote:

> While I do not believe "raw" information about SSL strength to be
> usable (for the general populace; it might have a place on some
> sort of "more details" area), recommendations on removing ciphers
> would be out of our charter. 

Agree for specific ciphers.

However, I could imagine a recommendation that says "don't bother
users with cipher strength; if you think a cipher is so weak you
need to warn users about it, you probably don't want to implement it
in the first place."

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Friday, 8 December 2006 13:58:55 UTC