Re: [TLS] Broken browser behaviour with SCADA TLS

Peter Gutmann <> Thu, 05 July 2018 12:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F3B5A1277BB for <>; Thu, 5 Jul 2018 05:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sxVfSSt5MO_R for <>; Thu, 5 Jul 2018 05:05:06 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 800A6130DE4 for <>; Thu, 5 Jul 2018 05:05:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1530792305; x=1562328305; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=VjH1TyEySi2B6/Iv6mci+0m0OCnkZTDdlyXehbyL2Hk=; b=UqG3cfRRJ7Nhy1eogBnOVn5WZ41TZzuPJ+HMpuWkl/WoHqodwN15k/LE EzCS/zyJ63WhD7z14QJpLjG2nfBygyyXt6JZb6259l/03ZWQO97AM45L7 /tretgD7llBInxPzYHVeyffmcVD2zZ3hkt268twgN2kQj364JpetT//+c Ga0DWPHd1wiWhlIvqcAsG9IyTU06XR0e0ZDdoweujjU8X3w7PypsIlQ5u G0Ge1yfY1cZtxEl2/1T1n1V0cSydYiYPw2xvId0Gr3LA11bWh63b6hnIW gsf8SWritxiEn7gNaxG31YtHb5Cki5zY5UfDS1Ik6V2TZ0TgkHGdn/tN+ w==;
X-IronPort-AV: E=Sophos;i="5.51,312,1526299200"; d="scan'208";a="19769706"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 06 Jul 2018 00:05:02 +1200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 6 Jul 2018 00:05:02 +1200
Received: from ([fe80::ccab:7bf5:3d4a:aed8]) by ([fe80::ccab:7bf5:3d4a:aed8%14]) with mapi id 15.00.1263.000; Fri, 6 Jul 2018 00:05:02 +1200
From: Peter Gutmann <>
To: Ilari Liusvaara <>
CC: "<>" <>
Thread-Topic: [TLS] Broken browser behaviour with SCADA TLS
Date: Thu, 5 Jul 2018 12:05:01 +0000
Message-ID: <>
References: <> <> <20180704074101.GA19789@LK-Perkele-VII> <> <20180704081519.GA20000@LK-Perkele-VII> <>, <20180705064455.GA7996@LK-Perkele-VII>
In-Reply-To: <20180705064455.GA7996@LK-Perkele-VII>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] Broken browser behaviour with SCADA TLS
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Jul 2018 12:05:13 -0000

Ilari Liusvaara <> writes:

>1) Advertise DHE, accept weak groups. Vulernable to LOGJAM.

Only if the weak groups you accept are 512 bits.

A bigger question is, why does Chrome think it's up to it to decide whether
the device user's choice of key size is appropriate or not?  As I mentioned
earlier, in many cases 1024-bit keys are not only perfectly fine but more than
enough.  In fact given the hardness of the DLP they're probably OK in
virtually all cases as long as everyone doesn't share the same group2 prime.

The crazy thing is that although Chrome rejects a connection to a PFS,
relatively safe (via the DLP's hardness) 1024-bit DHE server, it's perfectly
happy connecting to a far less safe (both in terms of factorability and use of
pure RSA) 1024-bit RSA server.  

This is "security" done backwards!