What to do about SSL strength

[Henry Miller]

On Wednesday 08 March 2006 03:19, Thiago Macieira wrote:
> George Staikos wrote:
> >> - you made it so that we negotiate ciphers of 168 bits or stronger
> >> - as a result, servers tell us we don't support strong encryption
> >
> >  Yes.
> >
> >> Are those servers trying to use 128-bit as "strong"?
> >
> >   Basically they have "if (bits(cipher) != 128) { error('weak crypto
> >unsupported'); }"

Nothing should be done until we check with Mozilla, Apple, and Opera.    The 
right solution is for everyone to support 168 bit encryption.    Konqueror 
alone does not have the market share to force a change.    Mozilla  does, 
Apple might.  If they turn on 168 bit soon (as in the next release), knowing 
they will encounter the same problem, web masters will be forced to fix their 
bugs.

Make sure everyone puts the above in their FAQ and release notes so that when 
people get weak encryption messages they know it isn't their browser, it is 
idiots at the other end.   (Of course we word it nicely, but in such a way 
that anyone reading between the lines knows that we mean idiots)

The wrong solution is to use only 128 bit encryption when we can do more.   
True 128 bit is secure enough, and expected to remain that way, but we  need 
maximum flexability should things change.   The last thing we want is for a 
hole to be found in current 128 big cyphers, that is solved (or at least 
unexploitable) in the 168 bit versions.

P.S.    This would be a good thing to summarize and submit to 
www.thedailywtf.com, not only will everyone get a good laugh over it, but 
they have a bunch of readers, some of whom may have power to fix this, if 
they know to look for it.