Update warnings & failures #225
Comments
This seems reasonable. It would also be nice to have another colour to indicate non-PFS ciphers, but I don't think that's really going to work, so flagging them yellow might be the best option. It would probably also be good to add a new XML elements fo
Also seems reasonable - there's no reason to be using SHA-1 in 2020.
Flagging up 112 bits seems fair enough (AFAIK the only cipher with this strength is 3DES, and we're already flagging the cipher in yellow, so flagging the bits in the same colour seems sensible). However, I'm a bit more uncomfortable with the idea of flagging everything 2048 bit as a warning (even though they're arguably the same strength). The current recommendations from NCSC are to use 2048 bit certificates, Mozilla recommend it when you can't use EC certificates, and NIST recommend it for normal usage (although with the caveat you mentioned about using 3072 for TS). I think it's hard to justify going against the recommendations of organisations like that without some pretty strong justification, and some good references to point to. I think that the current behaviour of displaying 2048 in white (i.e, "fine, but not the best"), and 3072 and above as green (was previously 4094 and above, but that should really have been 3072, so I fixed it in 1495e4f) seems like a reasonable approach for now. Happy to discus further.
This is an....interesting area. I'm aware of some of the arguments around these curves (although not in anywhere near the depth that you've clearly studied them). Without wanting to go too deep into the technical side of this, I think the main question would around the purpose of sslscan and the wider context. These curves have been implemented by pretty much everyone, and are recommended by quite a few people (such as NCSC and Mozilla) other than NIST. By flagging them as insecure, we're saying that either all of these organisation are wrong and have implemented backdoored cryptography (i.e, we know better than Mozilla, Google, Microsoft, NCSC, etc) or that they are all part of an conspiracy to deliberately implement backdoored cryptography (including organisations outside of the USA, who are recommending it to their own government departments and companies). If I'm reporting this as an issue to a client on a penetration test, this then puts me in the position of either saying "I know more about crypto than our government" or "our government is intentionally recommending you use backdoored crypto that lets the USA spy on you because....reasons". Neither of those really seem like a position that I want to be in. We do flag some of the Chinese and Russian ciphers as questionable, but that's a much easier argument to have, and they've also received a lot less scrutiny (in public anyway, I'm sure certain organisations have spent a very long time looking at them). To draw a parallel, there are a lot of reasons to suspect that certain organisations might have backdoors in Microsoft Windows, and definitely have access to platforms such as Azure. However, I don't think it would be appropriate for a scanning tool to throw a warning based on the fact that someone was using Windows, unless there is some concrete evidence of an actual backdoor that affected them. The current code displays these curves in white (i.e, "fine, but not the best") rather than green - which seems like reasonable position. We're not actively saying "this is bad", but we are saying "there's a better option available". Interested to hear your thoughts on the above. |
|
Hi, IIUC TLS 1.3 ciphersuites are not being rated as strong since the key exchange is specified elsewhere and "DHE" never appears in the cipher name. They still appear as "acceptable" but this makes the ranking surprising. |
I think some algorithms & key sizes should be re-categorized. Instead of just issuing a PR, I thought I'd talk about it first and see if we are on the same page.
Flag anything at the 112-bit security level as a warning. According to this NIST document (see pg. 54 & 55), this includes 2048-bit RSA & DH. I base this on (admittedly, a bit out-dated) research from 2003 that suggested 2,048-bit provides security only until the year 2030; this would be insufficient for some things such as patient health information. I do recognize that an updated estimate would be more convincing, but note that the NSA recommends 3072-bit for TOP SECRET data. To some people, their health information is indeed very sensitive, and must be protected for decades into the future. A 128-bit level would give a more comfortable buffer for this scenario.
Flag anything using the NIST P-curves (P-256/384/521) as a hard failure. I'm part of the camp that strongly suspects these were back-doored by the NSA in the late 1990's. I actually gave an hour-long presentation on this topic before, so I have a lot to say about it (the ultra-short summary is that magic numbers were used with no rationale given, NIST refuses to comment on them, and the NSA got caught red-handed in the Snowden leaks pushing NIST into standardizing the Dual_EC_DRBG random number generator with a back-door). But instead of writing pages and pages here, I'd first see where you are on this topic. I'd be happy to elaborate if you're not convinced. (FYI: substituting the P-curves with Curve25519/Curve448 yields no performance nor compatibility problems in modern browsers.)
Thoughts? I'll be happy to submit PRs for these if you're on board.
The text was updated successfully, but these errors were encountered: