Re: [cryptography] [Ach] Better Crypto

[Aaron Zauner]

Hi, *

Axel Hübl wrote:
 I could not agree more.

 Crazy C get's totally against the scope of this document: providing
 _relyable_ crypto.

 If someone reads that document and goes for see, they still list it as
 compatible, provide it! the document lost it's main point.
I agree too. Sorry. But that's really not our issue to tackle. If we
want to provide a guide for _better_crypto_ we'll need to drop some
stuff that eventually breaks compatibility. I'm totally for discussing
ECDHE on top of DHE (although curve options as currently implemented in
libraries just suck) and SRP (which is a very good scheme in my opinion)
- but discussing EOL ciphers like 3DES is somewhat out of scope. After
all we want to prompt change in peoples mindset about legacy
installations, their security and what should be regarded as safe for
customers and users. Nobody has to follow this guide to the letter.

Aaron






On Tue, Jan 7, 2014 at 1:38 PM, Axel Hübl axel.hu...@web.de wrote:

 I could not agree more.

 Crazy C get's totally against the scope of this document: providing
 _relyable_ crypto.

 If someone reads that document and goes for see, they still list it as
 compatible, provide it! the document lost it's main point.

 Cheers,
 Axel

 On 07.01.2014 13:08, Pepi Zawodsky wrote:
  On 07.01.2014, at 11:55, ianG i...@iang.org wrote:
  Suite C:  maximum compatibility
 
  This is what every other guide on the internet already does. We'll
 _never_ get to improve the current state if we keep supporting fubared
 stuff. If we want the broadest compatibility let's switch back to
 plaintext. Works fine with my NCSA Mosaic. :-)
 
  In my opinion Sweet A is where we should be. Yes, this is a
 forward-looking setting. It sill shall point the direction everyone should
 be headed for. Bravo B is still considered secure as to our best of
 knowledge today™ which still supports a wide array of deployed software
 without unsafe compromises on the security aspect.
 
  I oppose the introduction of a Crazy C cipher that supports every client
 as this scenario would contradict the goal of the project as I see it.
 bettercompatibility.org is still available. :-)
 
  Best regards
  Pepi
  ___
  Ach mailing list
  a...@lists.cert.at
  http://lists.cert.at/cgi-bin/mailman/listinfo/ach
 


 ___
 Ach mailing list
 a...@lists.cert.at
 http://lists.cert.at/cgi-bin/mailman/listinfo/ach


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [Ach] Better Crypto

[Aaron Zauner]

Hi Peter,

Peter Gutmann wrote:
 The problem is that as you read through the text you see, again and again, a
 large amount of material telling you how to configure algorithms for OpenSSL
 (and then to a lesser extent OpenSSH and others).  It seems to be the
 overriding theme throughout the document.  A better option would be to refer
 to a single location for this (in an appendix) and then give users a choice: a
 generic safe config (disable null, export ciphers, short keys, known-weak,
 etc), a maximum-interoperability config (3DES and others), and a super-
 paranoid config (AES-GCM-256, Curve25519, etc), with warnings that that's
 going to break lots of things.
We try to offer two OpenSSL cipher-strings currently: A and B with A
being the tinfoil-hat version. Now we need input from people like you,
people that run large-traffic sites, develop SSL libraries, Client and
Server software and so forth to find a good common ground. We have
recently got a lot of useful feedback from e.g. the Firefox crypto team
and I'm sure we'll incorporate that into our paper. We're still in a
DRAFT stage and intent to update the paper even after our first release
regularly since the world of SSL/TLS changes a lot these days.


 That assumes that people will read all of that, as well as the theory chapter
 that follows.  Since the document is laid out as a cookbook, I have the
 feeling that most people who just want to get a server up and running will
 flip through until they find the bit corresponding to the software they'll be
 running and then cutpaste the config lines they find there.  Or at least
 that's been my experience in maintaining an open-source crypto library for
 nearly two decades, the documentation isn't an instruction manual in the usual
 sense but a set of code templates ready to cutpaste into a finished app.
 Look at the popularity of HOWTOs for any number of how-to-set-up-XYZ issues,
 most people just want a cookbook and won't read long, detailed discussions.  
 Or for that matter any discussion that goes beyond do this to get it 
Yup. But that's a issue we won't be able to solve. If serious system
engineers can't find the time to read through a paper and it's reasoning
but instead look up ubuntuforums than they probably should not be
employed to do security critical decisions. We all know that problem
very well - some people just wont RTFM - this is also why the paper is
pretty terse and has put the configurations in front of the theory part
(used to be the other way around).

I still have the feeling that such a project is important since you
cannot find anything similar on the web that is useful for operations
people. Most people end up reusing configuration settings that someone
proposed somewhere on github or in an online forum, often without any
prior research.

Thanks for your input,
Aaron



signature.asc
Description: OpenPGP digital signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography