[Netcraft] SSL: Intercepted today, decrypted tomorrow

[Anonymous]

Recently, the Blogs & Newsfeed forum gave a pointer to the Netcraft article SSL: Intercepted today, decrypted tomorrow.

Today, I came to carefully read the article and to understand all its implications, and as a matter of fact, my web server installation did not negotiate a cipher having perfect forward secrecy (PFS) with my preferred browser (Safari on Mac OS X 10.8).

I investigated the situation further, and it turned out, that the preferred PFS cipher suites based on elliptic curve cryptography are not implemented by the base OpenSSL. So, I installed security/openssl, and I reinstalled apache24, php5, and postgresql92.

In /usr/local/etc/apache24/extra/httpd-ssl.conf I changed the value of the SSLCipherSuite directive, in order to allow nothing else than the suites with the highest security.

...
SSLCipherSuite HIGH:!aNULL
...

When I now open a https-site showing the results of phpinfo() on my FreeBSD server using Safari on my Mac, I get:

...
SSL_VERSION_LIBRARY	OpenSSL/1.0.1e
SSL_PROTOCOL		TLSv1
SSL_CIPHER		ECDHE-RSA-AES256-SHA
...

So, it seems that I managed to force my server to negotiate with Safari one of the strongest PFS suites available

 

[xtaz]

If you've not heard of this already, this site is awesome for testing your configuration out: https://www.ssllabs.com/ssltest/. I personally run nginx, but with the help of that site basically did the same as you and configured it to be almost as secure as I can get it whilst keeping it speedy and responsive with TLSv1.2, elliptic suites, and features like OCSP stapling, and SPDY.

From what you posted it looks like you are connecting using TLSv1.0 rather than 1.2 so you still have some improvements you can make by the looks of it as 1.0 is considered broken now and 1.2 is recommended.

For the cipher suite I personally use ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH. This prioritises a couple of TLS1.2 ciphers above RC4. New browsers negotiate those whereas older browsers negotiate the RC4 via TLS1.0. This is basically because RC4 is also considered broken, as are all CBC ciphers. SSL is in a bit of a mess really!

This is worth a read as well: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.2.pdf.

And these two interesting blog entries:
https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

 

[Anonymous]

... From what you posted it looks like you are connecting using TLSv1.0 rather than 1.2 so you still have some improvements you can make by the looks of it as 1.0 is considered broken now and 1.2 is recommended. ...

It is my favorite web browser, Safari 6.0.5 @ Mac OS X 10.8.4, that is limited to TLSv1.0, and this is because Safari utilizes the Security framework of the OS which on Mac still does not support TLSv1.2, while the exact same framework on iOS 6.1 does already. So, Safari on my iPhone 4 connects by TLSv1.2 to my website.

I used the last sunday for further reading (for example: SSL cipher settings) and optimizations though, and I came up with the following cipher suite:

...
SSLCipherSuite       TLSv1+HIGH:!3DES:!CAMELLIA:!aNULL:@STRENGTH
SSLHonorCipherOrder  on
...