Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict cipher suite selection #491

Closed
martinthomson opened this issue Jun 3, 2014 · 1 comment
Closed

Restrict cipher suite selection #491

martinthomson opened this issue Jun 3, 2014 · 1 comment
Labels
design editor-ready security

Comments

@martinthomson
Copy link
Collaborator

Will Chan has suggested that Chrome wants to restrict the set of cipher suites that we consider to be acceptable for HTTP/2. A unilateral action on the part of Chrome might have the effect of forcing the issue for sites, but that would be problematic.

We already require (potentially) ephemeral key exchange with a certain minimum strength. But that's just the handshake. The changes here relate to the TLS record layer.

If we want to improve the situation on the record layer, we can start by considering the following list of options, all of which are on the threatened species list (they won't be part of TLS 1.3), in order of least to most desirable:

  • RC4 (we currently advise against this in a non-normative fashion)
  • 3DES
  • AES CBC modes
@martinthomson martinthomson mentioned this issue Jun 5, 2014
Merged
@mnot
Copy link
Member

mnot commented Jun 6, 2014

Discussed in NYC; accept Martin's pull request delta making it a blacklist, not a whitelist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design editor-ready security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martinthomson @mnot