Closed
Bug 956744
Opened 11 years ago
Closed 10 years ago
SSL: Non-Perfect-Forward-Secrecy ciphers should not be called High-Grade-Encryption
Categories
(Core Graveyard :: Security: UI, enhancement)
Core Graveyard
Security: UI
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 947149
People
(Reporter: jan, Unassigned)
References
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release) Build ID: 20131215161728 Steps to reproduce: 1. Go to https://en.wikipedia.org 2. Click on the little lock in the URL field 3. Click "more information" 4. Look at the "Technical Details" Actual results: They are showing "High-Grade Encryption (TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys)" Expected results: This should not display "High-Grade Encryption". This term should be reserved for Perfect Forward Secrecy ciphers like "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" for example.
Reporter | ||
Updated•11 years ago
|
Component: Untriaged → Security
OS: Linux → All
Hardware: x86_64 → All
Updated•11 years ago
|
Summary: SSL: Non-Perfect-Forward-Secrecy ciphers should not be called Hi-Grade-Encryption → SSL: Non-Perfect-Forward-Secrecy ciphers should not be called High-Grade-Encryption
Comment 1•11 years ago
|
||
See also bug 947149.
Comment 2•11 years ago
|
||
Hi Jan, according to Mozilla's own conventions regarding SSL, any encryption that uses a key length of at least 128-bit is considered a "High-grade encryption". Please see: http://www.mozilla.org/projects/security/pki/psm/help_21/ssl_page_info_help.html. Marking this issue as an enhancement, however if there's anyone with a stronger knowledge on this matter, please post your observations.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter | ||
Comment 3•11 years ago
|
||
Thanks for the link to the conventions. I think that should be adjusted, too. The key alone even if it is a strong key is not good enough. The cypher has to be strong, too. The phrase "High-Grade Encryption" is very misleading when one uses RC4 for example. I fear that users might feel safe when they read this phrase and they really are not.
Comment 4•11 years ago
|
||
I agree, 128 bit RC4 cannot be called high grade encryption. And as Jan says, bitness is not all, the ciphers matter highly as well, and Forward Secrecy too. The mentioned SSL conventions are terribly outdated; Firefox doesn't even support 40, 56 and 64 bit keys anymore: "High-grade encryption. Strongest encryption available, using 128-bit keys at a minimum. Medium-grade encryption. Somewhat stronger than low-grade encryption, using 56- or 64-bit keys. Low-grade encryption. Weakest encryption available, using 40-bit keys."
Updated•11 years ago
|
Component: Security → Security: UI
Product: Firefox → Core
Version: 26 Branch → Trunk
Comment 5•10 years ago
|
||
There is no distinction anymore for high and low grade.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•