Also, I couldn't get your disabling of SSL compression to work (on Gentoo Linux), either by pasting the export line into /etc/conf.d/apache2 (at the end) or /etc/init.d/apache2 (at the top).
That, coincidentally, is the configuration that we (CloudFlare) are using for all our SSL sites: http://blog.cloudflare.com/new-ssl-vulnerabilities-cloudflar... One of the things we try to do for our customers is worry about this sort of thing so they don't have to.
Yes, but some of the ciphers aren’t supported in widely used OpenSSL versions (like 0.9.8). I wanted to give people a configuration that works everywhere and is reasonable secure.
If they want more, there’s a link list at the end. Let’s not make perfect the enemy of the good.
Edit I’ve added an advanced section with a link to here so you get your credit. :)
To be fair, that line does work everywhere; the unrecognized ciphers are just ignored. In fact, on my Debian VPS with OpenSSL 0.9.8 it results in the exact same list of ciphers as the Apache one given in the post ("openssl ciphers" on the command line is very useful).
May as well add the newer ones to get the support if you upgrade your SSL library without having to change your Apache/nginx/etc. conf.
For openssl 0.9.8, where "ECDHE-RSA-AES128-SHA256" and "AES128-GCM-SHA256" aren't supported, that cipher suite actually places RC4 40bit as the preferred cipher ("openssl ciphers -v").
Unless you're worried about lack of GCM (and I guess you're not, given the next suite spec), you might as well make that highest-preference suite ECDHE-RSA-AES128-GCM-SHA256.
RC4 has no known practicably exploitable weaknesses and is well supported, insofar the “ancient” is actually working in its favor.
That said, if you know as much as you do, you don’t need that article and can fine tune yourself. It’s for people who want a compatible and secure SSL setup – which it is.
The statement that RC4 has no weaknesses is not true. It has well-known biases: http://en.wikipedia.org/wiki/RC4#Security It is just better than CBC (as implemented), being a stream cipher, and thus using RC4 is the best solution right now. It is still important to get as much as possible up to TLS 1.2 and using AES-GCM or other AEAD modes as soon as possible.
Edit: Clarified that RC4 is better than CBC as implemented, not CBC implemented with constant-time verification, i.e. RC4 will not be preferable to AES-CBC in the fixed version of OpenSSL, at least against the Lucky Thirteen attack.
You are extracting something I didn't say, or at least didn't mean to imply. RC4 is better than TLS-CBC as it is implemented by virtually all libraries. A constant-time implementation is obviously preferable, but considering the mess this makes of client libs I doubt many will adopt it. RC4 will be better for those until TLS 1.2 and e.g. AES-GCM are supported.
Also, blaming browsers when we've known about timing attacks against this verification for years, and OpenSSL is patching it now, is probably a bit of a stretch.
You're commenting at a greater level of detail than I am. I'm only making the AES-CBC > RC4 case because it would be awfully dumb of someone to design a new cryptosystem with RC4, even if AES-CBC was the only alternative.
The CBC timing channel 'agl is talking about is specific to TLS's idiosyncratic mac-then-encrypt implementation. Don't ever use mac-then-encrypt. Encrypt first, then MAC.
I'm blaming browsers for (a) not implementing CTR mode (AE or otherwise) and (b) being vulnerable to the chained CBC IV vulnerability. I'm not blaming browsers for the timing attack on AES-CBC.
Yeah. The outlook is not that great, and RC4 will definitely be better than CBC for those legacy systems in light of this discovery (http://www.isg.rhul.ac.uk/tls/). At least the browsers are actively working on supporting the latest TLS and modes.
Yes, the discovery of Lucky13 and the following helplessness by many not-really-ops-but-doing-it-anyway people were the motivation to write that article in the first place. To get a minimal baseline security out there. Those who know better, will do better. There’s enough additional links to get hooked up. Can’t do more. :)
Oh certainly not a crisis – especially since it didn't bring new vectors to the table. I just saw many “what now!?”s in my timelines and figured I better give them a solid good-enough solution that just works before they do something stupid.
We’re in the web hosting business and whenever we try to be a bit more progressive, people start yelling at us that their IE 4-using customers in rural Mongolia can’t SSL-surf their shop. When it comes to mail, IIRC some business phones were behind too.
OTOH iOS 6 support TLS 1.2, so if you’re just building a REST API for your own apps, you can go wild.
How does SSL compression work together with Apache's ordinary zlib support?
Is it redundant when you're already deflating text/html pages? Looking at a page fetched from my server, Apache respondents with Content-Encoding: gzip.
Focusing on the CRIME attack people are trying to prevent, TLS compression works for the entire session and will thus include the HTTP headers which are out of band from HTTP transfer encoding. That's how CRIME works: if an attacker can use something like JavaScript to make a request in your browser with some text which they control and can observe the packet sizes, they can measure whether the entire message compressed more than expected, indicating that some bytes are shared between the browser-generated headers and their injected contents. Repeat enough times and you can recover cookies byte by byte. See http://www.imperialviolet.org/2012/09/21/crime.html for the full details.
The good news is that Content-Encoding avoids the attack; the bad news is that it means we're missing the opportunity to avoid transmitting a significant chunk of repetitive text.
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Also, I couldn't get your disabling of SSL compression to work (on Gentoo Linux), either by pasting the export line into /etc/conf.d/apache2 (at the end) or /etc/init.d/apache2 (at the top).