Monthly Archives: June 2014

With the recent interest in TLS, due to Heartbleed and the concerns about privacy due to the actions of certain agencies responsible for national security, there has been some really good discussion about TLS and how it is implemented.  Many people have talked about cipher suites in the context of server configuration.  Basically they have talked about how to set up your servers to only use secure protocols(no SSLv2, and no SSLv3 if you can get away with it), secure key exchange(preferring Perfect Forward Secrecy mechanisms), secure symmetric ciphers(AES-GCM, AES-CBC, and 3-DES if you have to) and good integrity checks a.k.a. HMACs(e.g. not using MD5, SHA-1).  While I love this discussion and am glad it seems to be getting moving in the right direction, I think it is also important to talk about what is going on with clients.  The configuration of my servers is important to the people who connect to my servers(all twelve of you), but it doesn’t affect the rest of my web browsing.  If I’m on my banks website browsing with IE8 on Windows XP, the security of my web server configuration doesn’t make me any more secure :).  In this article I am going to talk about which cipher suites the different browsers support, how they negotiate, and I will speculate a bit on the different design decisions made by each vendor.  I will also list whether Server Name Indication is supported or not.  This isn’t really a feature that improves security per sé, but it is important in terms of moving things forward as IPv4 addresses get more and more scarce.

ciphersuitesanalysis
Read Full Article

I have been doing a lot of thinking about public key cryptography lately.  It is a topic that a lot of people don’t understand, even those with a technical bent.

Every time you connect to a secure site a lot of stuff, there is a lot going on in the background.

Myth 1: As long as things are encrypted, I’m secure.
This one is kind of obvious, but I bring it up to help point out a problem I see all the time.  People focus on the encryption part of TLS without realizing that public key crypto does more for you besides encryption.  The other major thing that you get with public key crypto is authenticity(verification that you are talking to who you think you are taking to).  If you are securely communicating with an attacker, you are not communicating securely.
Read Full Article