Re: Improved TLS Defaults

From:	Daniel Lowrey	Date:	Wed, 29 Jan 2014 16:01:15 +0000
Subject:	Re: Improved TLS Defaults
Groups:	php.internals
Request:	Send a blank email to internals+get-71731@lists.php.net to get a copy of this message

> The Mozilla defaults are geared towards achieving perfect forward security
> where possible ...
> The RFC, at a minimum, seems a positive change.

Great! This is the goal.

The settings proposed in the RFC are geared towards disallowing anything
that's unabashedly insecure while still maintaining the broadest possible
support by default (to minimize BC implications). I realize that Padraic
isn't suggesting this but I want to state for the record that I don't
believe it makes sense at this time to try to enforce perfect forward
security as a language-level default. However, it *is* important to move
away from the existing naive default and that's what the RFC proposes.

The nice thing here is that the default cipher setting is *exceedingly*
simple to modify in response to future threats or attack vectors; all we'd
need to do to respond to new information going forward is to modify a
single string.


   

Thread (19 messages)

• Daniel LowreyWed, 29 Jan 2014 16:01:15 +0000
  • Pádraic BradyWed, 29 Jan 2014 16:23:51 +0000
• Daniel LowreyWed, 29 Jan 2014 19:10:05 +0000Re: Improved TLS Defaults
  • Yasuo OhgakiWed, 29 Jan 2014 19:46:08 +0000Re: Re: Improved TLS Defaults
    • Daniel LowreyWed, 29 Jan 2014 19:54:27 +0000
  • Pádraic BradyThu, 30 Jan 2014 00:16:32 +0000Re: Re: Improved TLS Defaults
    • Daniel LowreyThu, 30 Jan 2014 03:15:09 +0000
      • Rouven WeßlingThu, 30 Jan 2014 17:11:54 +0000
        • Daniel LowreyThu, 30 Jan 2014 17:17:23 +0000
          • Yasuo OhgakiFri, 31 Jan 2014 21:47:50 +0000
            • Daniel LowreyFri, 31 Jan 2014 22:08:26 +0000
              • Daniel LowreySat, 01 Feb 2014 17:47:31 +0000
                • Pádraic BradySun, 02 Feb 2014 00:27:55 +0000
                  • Daniel LowreySun, 02 Feb 2014 17:37:54 +0000
• Rouven WeßlingThu, 30 Jan 2014 17:11:54 +0000Re: Improved TLS Defaults
  • Daniel LowreyThu, 30 Jan 2014 17:17:23 +0000
    • Yasuo OhgakiFri, 31 Jan 2014 21:47:50 +0000
      • Daniel LowreyFri, 31 Jan 2014 22:08:26 +0000
        • Daniel LowreySat, 01 Feb 2014 17:47:31 +0000
          • Pádraic BradySun, 02 Feb 2014 00:27:55 +0000
            • Daniel LowreySun, 02 Feb 2014 17:37:54 +0000
• Daniel LowreySun, 02 Feb 2014 17:43:04 +0000Re: Improved TLS Defaults
  • Pádraic BradySun, 02 Feb 2014 19:38:13 +0000Re: Re: Improved TLS Defaults
    • Yasuo OhgakiMon, 03 Feb 2014 01:58:33 +0000
      • Daniel LowreyMon, 03 Feb 2014 20:09:16 +0000
• Daniel LowreyFri, 07 Feb 2014 02:50:35 +0000Re: Improved TLS Defaults