- From: Mark Nottingham <mnot@mnot.net>
- Date: Sun, 14 Dec 2014 08:51:06 +1100
- To: "Sean B. Palmer" <sean@miscoranda.com>
- Cc: "www-tag@w3.org List" <www-tag@w3.org>
Hi Sean, This finding is not the end statement on all things encryption; it’s a proposal for a high-level policy. The details of encryption are best left to specific Recommendations and RFCs; for example, TLS1.3 is removing RC4 (and HTTP/2 disallows it), and the CFRG is debating the merits of different curves. Cheers, > On 13 Dec 2014, at 11:06 pm, Sean B. Palmer <sean@miscoranda.com> wrote: > > Hi Mark, > > If you are promoting HTTPS for security, you must also record that > TLS/SSL were partially compromised as of 2013: > > "C.3. (TS//SI//REL) The fact that NSA/CSS has some capabilities > against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL, > and other network communication technologies" > > http://www.theguardian.com/world/interactive/2013/sep/05/nsa-project-bullrun-classification-guide > > "Several experts, including Bruce Schneier and Christopher Soghoian, > have speculated that a successful attack against RC4, a 1987 > encryption algorithm still used in at least 50 per cent of all SSL/TLS > traffic, is a plausible avenue, given several publicly known > weaknesses of RC4. Others have speculated that NSA has gained ability > to crack 1024-bit RSA and Diffie Hellman public keys." > > https://en.wikipedia.org/w/index.php?title=Bullrun_%28decryption_program%29&oldid=631232698#Methods > > When certificates are upgraded to ECC, these compromises may be fixed, > though we are unlikely to know for sure. But there is a good chance > that the NSA-influenced NIST curves would be used instead of Prof > Bernstein's Curve25519 and associated apparatus. The IETF must not > allow this to happen. > > Update the draft finding to include this information. > > Regards, > > On Mon, Dec 8, 2014 at 11:28 PM, Mark Nottingham <mnot@mnot.net> wrote: >> We've started work on a new Finding, to a) serve as a Web version of the IAB statement, and b) support the work on Secure Origins in WebAppSec. >> >> See: <https://w3ctag.github.io/web-https/> >> >> Repo w/ issues list at <https://github.com/w3ctag/web-https>. >> >> Cheers, >> >> >> -- >> Mark Nottingham https://www.mnot.net/ >> >> > > > > -- > Sean B. Palmer, http://inamidst.com/sbp/ -- Mark Nottingham http://www.mnot.net/
Received on Saturday, 13 December 2014 21:51:34 UTC