Filippo Valsorda <fili...@ml.filippo.io> writes: >I feel like there should be nothing controversial in the context of TLS. > > Non-ephemeral FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DH_*) ought to be a > MUST NOT, because they can't be implemented securely. > > Reusing ephemeral shares for ECDHE and DHE ought to be a MUST NOT in all > TLS versions, because it's unnecessary and has been a requirement for > many > attacks now. > > Non-ephemeral ECDH ciphersuites (TLS_ECDH_*) ought to be a SHOULD NOT, > because again ECDH share reuse enables a whole class of attacks. > > FFDHE ciphersuites in TLS 1.0–1.2 (TLS_DHE_*) ought to be a SHOULD NOT, > because they are specified in a dangerous way that is not secure if > shares > are reused.
I agree with the first two but not the last. Why is non-ephemeral DH a MUST NOT but non-ephemeral ECDH a SHOULD NOT? There's nothing magic about the EC form that makes it any better or safer. And for the FFDHE ciphersuites, they're not specified in a dangerous way, people implement them in a dangerous way. You really have to go out of your way to get it wrong, in the case of RACCOON it's actually more effort to get it wrong (keep old copies of values floating around and reuse them over and over) than to get it right (generate a fresh value every time). So it doesn't need a "don't do FFDHE", it needs a "here's a lot of stupid things you can do with FFDHE if you put your mind to it. Don't do any of them". Or maybe it can be turned into a more general "here are some dumb things that people have done with TLS over the years. Check your server to make sure you're not doing them". Posting your web server's private key as a .p12 file in a subdirectory below $DocumentRoot, for example, would be high on my list. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
