On Wed, 25 Oct 2017 18:57:05 -0400 Viktor Dukhovni <[email protected]> wrote:
> Which is different from > requiring that clients or servers reject weaker options, but given > such a server requirement, it would not be too unreasonable for STS > clients to in fact require at least TLS 1.2 and its MIT ciphersuites > from STS servers. The MTI cipher in TLS 1.2 is TLS_RSA_WITH_AES_128_CBC_SHA Which doesn't support forward secrecy and is affected by two major cryptographic flaws (Vaudenay padding oracle and Bleichenbacher million message attack) that are hard to avoid in implementations. I don't want to discuss here how it happened that the TLS 1.2 authors decided to declare such a cipher as "MTI", but I think it would be actively harmful to require a cipher in any modern standard that I'd argue should be deprecated better sooner than later. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
