Closed Bug 956744 Opened 11 years ago Closed 10 years ago

SSL: Non-Perfect-Forward-Secrecy ciphers should not be called High-Grade-Encryption

Categories

(Core Graveyard :: Security: UI, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 947149

People

(Reporter: jan, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131215161728

Steps to reproduce:

1. Go to https://en.wikipedia.org 
2. Click on the little lock in the URL field
3. Click "more information"
4. Look at the "Technical Details"


Actual results:

They are showing "High-Grade Encryption (TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys)"


Expected results:

This should not display "High-Grade Encryption". This term should be reserved for Perfect Forward Secrecy ciphers like "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" for example.
Component: Untriaged → Security
OS: Linux → All
Hardware: x86_64 → All
Summary: SSL: Non-Perfect-Forward-Secrecy ciphers should not be called Hi-Grade-Encryption → SSL: Non-Perfect-Forward-Secrecy ciphers should not be called High-Grade-Encryption
See also bug 947149.
See Also: → 947149
Hi Jan, according to Mozilla's own conventions regarding SSL, any encryption that uses a key length of at least 128-bit is considered a "High-grade encryption".

Please see: http://www.mozilla.org/projects/security/pki/psm/help_21/ssl_page_info_help.html. Marking this issue as an enhancement, however if there's anyone with a stronger knowledge on this matter, please post your observations.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Thanks for the link to the conventions. I think that should be adjusted, too.

The key alone even if it is a strong key is not good enough. The cypher has to be strong, too.

The phrase "High-Grade Encryption" is very misleading when one uses RC4 for example. I fear that users might feel safe when they read this phrase and they really are not.
I agree, 128 bit  RC4 cannot be called high grade encryption. And as Jan says, bitness is not all, the ciphers matter highly as well, and Forward Secrecy too.

The mentioned SSL conventions are terribly outdated; Firefox doesn't even support 40, 56 and 64 bit keys anymore:

    "High-grade encryption. Strongest encryption available, using 128-bit keys at a minimum.
    Medium-grade encryption. Somewhat stronger than low-grade encryption, using 56- or 64-bit keys.
    Low-grade encryption. Weakest encryption available, using 40-bit keys."
Component: Security → Security: UI
Product: Firefox → Core
Version: 26 Branch → Trunk
There is no distinction anymore for high and low grade.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.