[gnutls-dev]Re: GNU TLS
Nikos Mavroyanopoulos
nmav@gnutls.org
Wed Jul 10 12:30:01 2002
On Wed, Jul 10, 2002 at 09:04:53AM -0000, phr-2002@nightsong.com wrote:
> I have one complaint, which is that weak ciphers aren't supported. I
> assume this was decided as a political statement. But I think it is a
> mistake. That kind of decision should be reserved for the application
> developer--a library should not impose it. The issue isn't that the
> library user might be subject to crypto restrictions. It's that GNU TLS
> is a network communication tool, and the OTHER END of the connection
> might be restricted, either legally or by its implementation.
> For example, web browsers--even most of the ones installed on US
> machines which were permitted to use strong cryptography--almost
> entirely used weak cryptography until just a year or two ago. A lot
> of those browsers are still being used. A GNU TLS-based web server
> without weak cryptography support wouldn't be able to communicate
> securely with these browsers.
You seem to make an assumption that is not correct. You assume that
the 40 bit restricted browsers, offer some security.
Actually they do not offer any security at all. It is better to
communicate in plain, instead of having a false feeling of security.
It is trivial to crack 40 bit protected communications by brute
force.
> The application developer might decide that for security reasons, it's
> best for his/her site to not support such browsers, and simply tell
> users to upgrade (for example by downloading the appropriate MSIE
> service pack). But THAT IS UP TO THE APPLICATION DEVELOPER. S/he
> might decide that weak cryptography is good enough for the specific
> data being encrypted. The most common use of SSL on the web is for
> credit card numbers, and it's simply not worth the effort of an
> attacker brute-forcing a 56-bit (or even 40-bit) encryption key to get
> a single card number.
Well, I'm not aware of software that cracks 40 bit restricted TLS sessions,
but we shouldn't assume that there aren't such programs available in
underground communities. One can use a network of general purpose computers
to break 40 bit ciphers would in days or (in the worst case) weeks, which does
really worth the effort.
> Without the possibility of supporting a weak-cryptography client, the
> application developer must choose between abandoning the user (most
> won't bother upgrading til they get a new computer) or else turning
> off TLS entirely and using an unencrypted connection. Many will
> choose to turn off TLS, so GNU TLS's attempt to increase security by
> omitting weak ciphers will in fact decrease security.
As I said, I do not believe that the weak ciphers offer any
security.
> Similarly, a lot of web SERVERS such as older versions of Microsoft
> IIS still use weak cryptography. If GNU TLS is used in a browser, it
> won't be able to connect by SSL to such servers. This situation is
> even worse than the GNU TLS server case, since the GNU TLS browser
> user will usually have no hope of persuading the server operator to
> upgrade. So again, s/he'll have to abandon the site or else turn
> off TLS.
He cannot persuade him, but he should not trust him bussiness anyway.
Offering secure services restricted to 40 bit ciphers, is a joke.
[I CC'ed the developers mailing list for further comments and discussion]
> Regards
> Paul Rubin
> Fort GNOX Cryptography
--
Nikos Mavroyanopoulos