Cipher order should prefer quantum safe ciphers.
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: u677327, Unassigned)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
Special purpose quantum computing already exists at companies like DWave and Google, the NSA is likely 30 years ahead of both as they have always traditionally been ahead of the private sector, and general purpose quantum computers are likely less than 10 years away.
Ciphers of 128 bits only provide 64 bits of quantum security and shouldn't be used.
Core's cipher order currently preferences 128 bits but it should preference 256 bits, including preferencing TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 over TLSv1.3 TLS_AES_128_GCM_SHA256.
Actual results:
The current cipher preference order: (excluding non-authenticated and non-PFS)
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Expected results:
The cipher order shoud be: (excluding non-authenticated and non-PFS)
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Comment 2•4 years ago
|
||
Reopening because bug 1357467 is a NSS bug and Mozilla can customize the order without changing the NSS default now.
Comment 4•4 years ago
|
||
Hi! so, the asymmetric part of the key exchange in TLS is not post-quantum resistant, so reordering according to the strength of the symmetric cipher has no impact. We are monitoring and working on standardizing a post-quantum version TLS at the IETF and will implement it when available. I will close this bug but feel free to keep discussing and track in https://bugzilla.mozilla.org/show_bug.cgi?id=1357467.
4096-bit DHE-RSA-AES256-GCM-SHA384 is resistant for at least another ~30 years post-quantum so using it by default would be better than using any new NSA backdoored crypto.
Your new standard should remove the existing backdoored NSA crypto of P-256, P-384, and P-521, and re-add DHE which the most trusted and secure key exchange.
Description
•