What to do about SSL strength
Henry Miller
hank at millerfarm.com
Wed Mar 8 15:04:26 GMT 2006
On Wednesday 08 March 2006 03:19, Thiago Macieira wrote:
> George Staikos wrote:
> >> - you made it so that we negotiate ciphers of 168 bits or stronger
> >> - as a result, servers tell us we don't support strong encryption
> >
> > Yes.
> >
> >> Are those servers trying to use 128-bit as "strong"?
> >
> > Basically they have "if (bits(cipher) != 128) { error('weak crypto
> >unsupported'); }"
Nothing should be done until we check with Mozilla, Apple, and Opera. The
right solution is for everyone to support 168 bit encryption. Konqueror
alone does not have the market share to force a change. Mozilla does,
Apple might. If they turn on 168 bit soon (as in the next release), knowing
they will encounter the same problem, web masters will be forced to fix their
bugs.
Make sure everyone puts the above in their FAQ and release notes so that when
people get weak encryption messages they know it isn't their browser, it is
idiots at the other end. (Of course we word it nicely, but in such a way
that anyone reading between the lines knows that we mean idiots)
The wrong solution is to use only 128 bit encryption when we can do more.
True 128 bit is secure enough, and expected to remain that way, but we need
maximum flexability should things change. The last thing we want is for a
hole to be found in current 128 big cyphers, that is solved (or at least
unexploitable) in the 168 bit versions.
P.S. This would be a good thing to summarize and submit to
www.thedailywtf.com, not only will everyone get a good laugh over it, but
they have a bunch of readers, some of whom may have power to fix this, if
they know to look for it.
More information about the kde-core-devel
mailing list