Closed Bug 1684804 Opened 4 years ago Closed 4 years ago

Cipher order should prefer quantum safe ciphers.

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1357467

People

(Reporter: u677327, Unassigned)

Details

Attachments

(2 files)

Quantum Estimates.png
40.46 KB, image/png
Details
Asymmetric Estimates.png
53.94 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Special purpose quantum computing already exists at companies like DWave and Google, the NSA is likely 30 years ahead of both as they have always traditionally been ahead of the private sector, and general purpose quantum computers are likely less than 10 years away.

Ciphers of 128 bits only provide 64 bits of quantum security and shouldn't be used.

Core's cipher order currently preferences 128 bits but it should preference 256 bits, including preferencing TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 over TLSv1.3 TLS_AES_128_GCM_SHA256.

Actual results:

The current cipher preference order: (excluding non-authenticated and non-PFS)
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Expected results:

The cipher order shoud be: (excluding non-authenticated and non-PFS)
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Reopening because bug 1357467 is a NSS bug and Mozilla can customize the order without changing the NSS default now.

Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Attached image Quantum Estimates.png

Hi! so, the asymmetric part of the key exchange in TLS is not post-quantum resistant, so reordering according to the strength of the symmetric cipher has no impact. We are monitoring and working on standardizing a post-quantum version TLS at the IETF and will implement it when available. I will close this bug but feel free to keep discussing and track in https://bugzilla.mozilla.org/show_bug.cgi?id=1357467.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → DUPLICATE

4096-bit DHE-RSA-AES256-GCM-SHA384 is resistant for at least another ~30 years post-quantum so using it by default would be better than using any new NSA backdoored crypto.

Your new standard should remove the existing backdoored NSA crypto of P-256, P-384, and P-521, and re-add DHE which the most trusted and secure key exchange.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: