Re: [TLS] Broken browser behaviour with SCADA TLS

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 05 July 2018 06:46 UTC

Date: Thu, 05 Jul 2018 09:44:55 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20180705064455.GA7996@LK-Perkele-VII>
References: <1530687136897.97792@cs.auckland.ac.nz> <CABkgnnXsM2_PsL_YsuNEh6eDyp-R2d2JRm6OmGFh9nRAV5Lukg@mail.gmail.com> <20180704074101.GA19789@LK-Perkele-VII> <1530691044974.54956@cs.auckland.ac.nz> <20180704081519.GA20000@LK-Perkele-VII> <1530756106390.98539@cs.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <1530756106390.98539@cs.auckland.ac.nz>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lApSwMEF-d6_J3WF4w3S58s2xZw>
Subject: Re: [TLS] Broken browser behaviour with SCADA TLS
Precedence: list

On Thu, Jul 05, 2018 at 02:02:04AM +0000, Peter Gutmann wrote:
> Ilari Liusvaara <ilariliusvaara@welho.com> writes:
> 
> >Chrome initially did that. It caused quite a lot of bad feedback from owners
> >of various bad embedded stuff. The thread on relevant forums was quite
> >something. Hundreds of messages blaming Google for breaking stuff.
> 
> If there were "hundreds of messages" doesn't that indicate that it's Chrome
> that's the problem, and not everyone else?

Basically with DHE in TLS 1.2, you have very few choices:

1) Advertise DHE, accept weak groups. Vulernable to LOGJAM.
2) Advertise DHE, deny weak groups. Unacceptable failure rates.
3) Do not advertise DHE. Loses FPS with some servers.
4) Try DHE at first and fallback to RSA on too small group.
   Complex.

-Ilari

Re: [TLS] Broken browser behaviour with SCADA TLS Hubert Kario
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Salz, Rich
Re: [TLS] Broken browser behaviour with SCADA TLS Hubert Kario
Re: [TLS] Broken browser behaviour with SCADA TLS Hubert Kario
Re: [TLS] Broken browser behaviour with SCADA TLS Blumenthal, Uri - 0553 - MITLL
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Martin Rex
Re: [TLS] Broken browser behaviour with SCADA TLS Nikos Mavrogiannopoulos
Re: [TLS] Broken browser behaviour with SCADA TLS Ilari Liusvaara
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Ilari Liusvaara
Re: [TLS] Broken browser behaviour with SCADA TLS Martin Thomson
[TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Hubert Kario
Re: [TLS] Broken browser behaviour with SCADA TLS Martin Thomson
Re: [TLS] Broken browser behaviour with SCADA TLS Salz, Rich
Re: [TLS] Broken browser behaviour with SCADA TLS Kurt Roeckx
Re: [TLS] Broken browser behaviour with SCADA TLS David Benjamin
Re: [TLS] Broken browser behaviour with SCADA TLS Colm MacCárthaigh
Re: [TLS] Broken browser behaviour with SCADA TLS David Benjamin
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Ilari Liusvaara
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
Re: [TLS] Broken browser behaviour with SCADA TLS Adam Langley
Re: [TLS] Broken browser behaviour with SCADA TLS Martin Rex
Re: [TLS] Broken browser behaviour with SCADA TLS Martin Rex
Re: [TLS] Broken browser behaviour with SCADA TLS Martin Thomson
Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann