New revelations on NSA capabilities yesterday in the New York Times: see https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html for a jumping off point.
The bottom line seems to be: 1) don't use RC4 (we're already working toward that goal, I believe) 2) don't use the Dual_EC_DRBG PRNG (see http://crypto.stackexchange.com/questions/10189/who-uses-dual-ec-drbg)
Can someone take a look at our SSL configuration and see if we have Dual_EC_DRBG enabled? (And if so, turn it off and use a better PRNG!) --scott
ps. apparently Dual_EC_DRBG is built-in to Windows (!). A good reason not to run your security-critical servers on Windows, I guess... pps. if we're throwing stones, the Debian PRNG flaw is a big glass window.... ppps. http://blog.cryptographyengineering.com/2012/02/random-number-generation-ill... pppps. router/switch/firewall compromises have also been a big part of the NSA story. Has anyone looked at our internal network infra closely?
On Fri, Sep 6, 2013 at 1:08 PM, C. Scott Ananian cananian@wikimedia.orgwrote:
New revelations on NSA capabilities yesterday in the New York Times: see https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html for a jumping off point.
The bottom line seems to be:
- don't use RC4 (we're already working toward that goal, I believe)
"Someone somewhere commented that the NSA's "groundbreaking cryptanalytic capabilities" could include a practical attack on RC4. I don't know one way or the other, but that's a good speculation."
This is simply not helpful. "Someone somewhere", "good speculation". None of the articles or released documents say this. This is FUD as of right now.
On Monday I'll be adding the GCM ciphers for TLS 1.2 (I added the change yesterday: https://gerrit.wikimedia.org/r/#/c/83043/). We already have 1.2 enabled with weaker ciphers. We should keep RC4 around for older browsers that don't have a proper BEAST fix. There's no actual evidence of a viable attack.
2) don't use the Dual_EC_DRBG PRNG (see
http://crypto.stackexchange.com/questions/10189/who-uses-dual-ec-drbg)
Can someone take a look at our SSL configuration and see if we have Dual_EC_DRBG enabled? (And if so, turn it off and use a better PRNG!
From my (brief) investigation, this was included in the FIPS
implementations for openssl, but not otherwise. We don't use FIPS.
- Ryan
RC4 has been deprecated for over a decade: the first flaws were found in 2001, and RC4 was fully-broken in WEP in 2004. Yes, there has been movement back to RC4 due to the beast attacks, but the fact that it's "the best of a bad bunch" should not fool us. As Schneier said before the recent NSA disclosures, "There's no reason to panic here. But let's start to move away from RC4 to something like AES." ( https://www.schneier.com/blog/archives/2013/03/new_rc4_attack.html). This is not speculation. There are real attacks on RC4, and they will only get better with time.
But yes, let's get to TLS 1.2 first. --scott
Scott writes:
Has anyone looked at our internal network infra closely?
Yes, but system security and security of the private keys are equally important.
On general principles, after the TLS 1.2 / HTTPS everywhere default is in place, they private keys should be updated, with as secure and limited a set of people having access to the servers with that as possible.
One could guess that going after TLS / HTTPS private key certs is another level to all of this, compromising servers and/or cert agencies to get them.
On Fri, Sep 6, 2013 at 1:08 PM, C. Scott Ananian cananian@wikimedia.orgwrote:
New revelations on NSA capabilities yesterday in the New York Times: see https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html for a jumping off point.
The bottom line seems to be:
- don't use RC4 (we're already working toward that goal, I believe)
- don't use the Dual_EC_DRBG PRNG (see
http://crypto.stackexchange.com/questions/10189/who-uses-dual-ec-drbg)
Can someone take a look at our SSL configuration and see if we have Dual_EC_DRBG enabled? (And if so, turn it off and use a better PRNG!) --scott
ps. apparently Dual_EC_DRBG is built-in to Windows (!). A good reason not to run your security-critical servers on Windows, I guess... pps. if we're throwing stones, the Debian PRNG flaw is a big glass window.... ppps.
http://blog.cryptographyengineering.com/2012/02/random-number-generation-ill... pppps. router/switch/firewall compromises have also been a big part of the NSA story. Has anyone looked at our internal network infra closely?
-- (http://cscott.net) _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org