Re: [TLS] Another IRINA bug in TLS

[Kurt Roeckx <kurt@roeckx.be>]

On Fri, May 22, 2015 at 10:36:57PM +0200, Karthikeyan Bhargavan wrote:
> 
> > I think the authors felt the same. But in Section 4 of the paper, they said:
> 
> As one of the authors of the paper, let me try to clarify our recommendations a little bit.
> First, we only know what is broken, and can only make precise recommendations for avoiding the attacks in the paper.
> Figuring out what's a good long-term alternative is for a community forum like this to decide. 
> 
> If we were to make a recommendation for TLS, at least as it is used on the web, it would be as follows, 
> in decreasing order of preference:
> 
> 1) Switch to ECDHE. 
>     It is faster, and the kinds of attacks discussed in our paper have not (yet) been shown to be effective for the common curves.
>     As usual, we need to be wary of weak curves (160-bit) or curves that may have been generated maliciously.
>     We leave it to the EC folks to tell us what are good curves to use.
> 
> 2) Switch to stronger (>=2048-bit) DHE groups.
>     If ECDHE is unavailable, we are happy (today) with >= 2048 groups as suggested in the FF-DHE draft.
>     As usual, we have to be wary of how these groups are generated, since there is the possibility of trapdoors being built in.
>     Using well known constants such as pi or e as the basis for prime generation (e is used in FF-DHE) is, as far as we know, 
>     a safe technique for generating a group with a low probability of a trapdoor.

The weakdh.org site currently says:
| If you run a server...
| 
| If you have a web or mail server, you should disable support for
| export cipher suites and generate a unique 2048-bit Diffie-Hellman
| group.

Should that be changed to "and use a 2048-bit Diffie-Hellman
group"?


Kurt