Re: How can I tell what key strength is used to negotiate HTTPS content encryption keys?

On 21/08/2009 20:30, Ellen Chan wrote: Hi again Ian, Yes I can appreciate that there are priorities and you're reluctant to get into something overly complex. Well, I won't be coding it :) I'm just offering my opinion, which we might recognise as being polarised against the majority here.

Re: How can I tell what key strength is used to negotiate HTTPS content encryption keys?

Hello Justin, On 20/08/2009 17:45, Justin wells wrote: Hi Ian, Thanks for your reply! It's very enlightening, and I do agree that in the real world there are a lot of issues other than the cryptographic issues. Just to be sure, I am not suggesting that the weakest link should be as strong as

Re: How can I tell what key strength is used to negotiate HTTPS content encryption keys?

Hi again Ian, Yes I can appreciate that there are priorities and you're reluctant to get into something overly complex. It's probably wise then to drop any attempt to have the application sort out which is the weaker link and instead just bubble that information up to the user, so that they can

Re: How can I tell what key strength is used to negotiate HTTPS content encryption keys?

Right, so from that RFC: Note that higher layers should not be overly reliant on TLS always negotiating the strongest possible connection between two peers: there are a number of ways a man in the middle attacker can attempt to make two entities drop down to the least secure method they

Re: How can I tell what key strength is used to negotiate HTTPS content encryption keys?

On 19/08/2009 20:30, Justin wells wrote: Plainly the concern is that 256 bit AES does you no good if they AES keys were exchanged insecurely. The security of the connection is the lesser of the security of the content encryption, and the security of the key agreement protocol Yes, this is

Re: How can I tell what key strength is used to negotiate HTTPS content encryption keys?

Hi Ian, Thanks for your reply! It's very enlightening, and I do agree that in the real world there are a lot of issues other than the cryptographic issues. Just to be sure, I am not suggesting that the weakest link should be as strong as the strongest link. I am just trying to understand how weak

Re: How can I tell what key strength is used to negotiate HTTPS content encryption keys?

Justin makes some valid points. Risk-management in the future is going to increasingly be about transparency and disclosure. As long as Firefox and Thunderbird provide information about the strengths of different keys in the SSL/TLS negotiation, Mozilla will be advancing the cause of better

Re: How can I tell what key strength is used to negotiate HTTPS content encryption keys?

On 2009-08-19 11:30 PDT, Justin wells wrote: Hi all, When I visit an HTTPS link I can see what strength of encryption is used to encrypt the content (e.g., 256 bit AES) and if I dig a little I can even see the strength of the certificate used for authentication (e.g., 1024 bit RSA). What I