I am using Marlene Pratt's "Proposal to Remove legacy TLS Ciphersuits Offered by Firefox" from 13 Dec 2013 on dev-tech-crypto mailing list as a guideline.
I present a proposal to remove some legacy ciphersuites from the initial handshake presented by Firefox. In Firefox 36, we have removed RC4 from the initial handshake, as well as implemented a secondary/fallback handshake for badly configured servers. I have read the updated version of best current practices regarding Recommendations for Secure Use of TLS and DTLS: https://tools.ietf.org/html/draft-ietf-uta-tls-bcp-11 These are the default available ciphersuites in Firefox 36.0: C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 002F TLS_RSA_WITH_AES_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA I propose removal of the following ciphersuite: 0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA because DSS (the non-EC version) is obsolete, and based on preliminary telemetry and Pulse data is not being negotiated at all with any servers out there. My testing indicates that there are no public nor private servers that would support only this ciphersuit - please provide some data if you think otherwise. I also propose removing the following ciphersuit: 000A TLS_RSA_WITH_3DES_EDE_CBC_SHA because 3DES is a cipher that requires too much computing power compared to AES, much more computer memory, lacks hardware acceleration on servers, is rarely negotiated, has had its bitstrenght reduced below 128bits, and its removal is on track with avoiding (and eventually removing) RSA key exchange. Additionally, the servers that support (or even prefer!) 3DES always support some AES ciphersuit too. This would bring the list of presented ciphersuites down to: C02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 C02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 002F TLS_RSA_WITH_AES_128_CBC_SHA 0035 TLS_RSA_WITH_AES_256_CBC_SHA The secondary/fallback handshake can still offer the ciphersuites proposed for removal. Main point is we want to show servers that we intend to keep the list of supported ciphersuites modern and secure. The benefits of this change remain the same as in Marlene Pratt's original proposal. Given that it took 10 (ten) Firefox versions (from Firefox 26 to Firefox 36) to implement the previous proposal, now is a good time to start talking about this new proposal. Hopefully it will not take until Firefox 46 to have it implemented. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
