Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is HTTP 2.0 finalized and approved? If not could we push for it to support PFS by default with ECDHE, which seems to add only 15 percent overhead [1]? That seems like a small price to pay if the security of every session grows exponentially, with each one being encrypted with a new key.

HTTP 2.0/SPDY already makes TLS mandatory, no? So why not make PFS mandatory, too? I'd rather we do it now than wait for HTTP 3.0, and it might force a lot more companies to adopt it by default as they move to HTTP 2.0 (companies such as Microsoft [2]).

EDIT: Links

[1] - http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-se...

[2] - http://news.netcraft.com/archives/2013/06/25/ssl-intercepted...



I wrote this post before the latest of Snowden's revelations and Bruce Schneier's comments on them[1].

"Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can."

I'd rather have some smart people take a thorough look at the curves we use before we make ECDHE mandatory. If we need to choose between computationally heavy DHE or possibly backdoored ECDHE, I'm afraid many companies will still pick ECHDE.

[1] - http://www.theguardian.com/world/2013/sep/05/nsa-how-to-rema...


Be careful with traditional Diffie-Hellman, which in practice also has problems: if your server software doesn't let you specify your own parameters, it's probably using 1024 bit parameters. All versions of Apache are guilty of this[1], as are (at least the versions I checked) Dovecot and Postfix. I would not trust 1024 bit DH in the face of an adversary like the NSA. It would be interesting to check how XMPP server software handles DH parameters.

[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=49559

Edit to add: Prosody allows you to specify dhparams, though the documentation is vague[2]. Don't see anything in the ejabberd docs for this[3].

[2] http://prosody.im/doc/advanced_ssl_config

[3] http://www.process-one.net/docs/ejabberd/guide_en.html


Yes, Prosody does allow it, but you're right that the documentation is vague - it's because it's a bit awkward at the moment.

We're planning to release 0.9.1 on Monday to address this issue (or you can grab one of our nightlies at https://prosody.im/nightly/0.9/ (build 160+) ).

Should have docs up in the next couple of days, but for now it should suffice to say that you can simply add a 'dhparam' field to your existing 'ssl' option in your config file that is a path to a DH parameters file created with something like:

openssl dhparam -2 2048 > prosody-dhparam.pem

Hope this helps!


I think DJB is saying that the "default" ones recommended by NIST like P-224 are weak, but if you use something like Curve25519, then you're fine.

Full paper:

http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4...


Anecdotally, we see > 98% of browser clients using PFS cipher suites.

Sure it would be nice if it was mandatory, but 98% is _very_ good.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: