Hacker News new | ask | show | jobs
by davidben 4110 days ago
This isn't prioritizing quite the right ciphers. The CBC mode construction in TLS has serious problems (MAC-then-encrypt instead of encrypt-then-MAC) and should be considered cryptographically broken. It's incredibly fragile and difficult to implement correctly.

You want to make sure TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is negotiated, at least where browsers support it. (It's spelled "ECDHE-RSA-AES128-GCM-SHA256" in OpenSSL.) There's a small handful of others that are also acceptable, but between ECDSA certificates being rare and CHACHA20_POLY1305 still being standardized, that's the one you want. All the rest are legacy baggage.

Mozilla has some server-side recommendations here: https://wiki.mozilla.org/Security/Server_Side_TLS
2 comments
samch 4110 days ago
Just out of curiosity, why are you proposing that AES 128 is the one to go with? According to SSL Labs AES 256 is preferable and has broad support among browsers.
link
davidben 4110 days ago
AES_128_GCM is much much preferable to AES_256_CBC. AES_256_GCM does not have broad support (not supported by Chrome or Firefox) and isn't really worth the performance tradeoff.

https://code.google.com/p/chromium/issues/detail?id=442572

link
count 4110 days ago
SSL Labs is judging what they consider absolute security (I assume - I can't speak for Ivan or Qualys), where Google/Mozilla/etc look heavily at performance and supportability. Mozilla publishes their approach to what is 'best' here: https://wiki.mozilla.org/Security/Server_Side_TLS
link
tuxychandru 4110 days ago
This article points to an attack that applies to AES-256, but not 128.

https://www.schneier.com/blog/archives/2009/07/another_new_a...

link
samch 4110 days ago
Except that the attack you mention has no bearing on the standard 14-round AES-256 that everybody uses.
link
nailer 4110 days ago
Thanks. I'm actually porting the Moz guidelines to node in the next few days.
link
nailer 4104 days ago
Done: https://www.npmjs.com/package/ssl-config

As another poster mentions, using AES-GCM with 128 bit keys is considered superior to using a 256 bit key without (though indeed, removing all 128 bit keys gets you 100% on the SSLLabs test).

See https://wiki.mozilla.org/Security/Server_Side_TLS#Prioritiza...

link