[Wikimedia-l] Disinformation regarding perfect forward secrecy for HTTPS
Ryan Lane
rlane at wikimedia.org
Sat Aug 3 08:19:38 UTC 2013
On Fri, Aug 2, 2013 at 7:23 PM, Anthony <wikimail at inbox.org> wrote:
> On Fri, Aug 2, 2013 at 10:07 PM, Anthony <wikimail at inbox.org> wrote:
>
> >
> > Anthony wrote:
> >> >
> >> > How much padding is already inherent in HTTPS?
> >>
> >> None, which is why Ryan's Google Maps fingerprinting example works.
> >>
> >
> > Citation needed.
> >
>
> Also please address
> https://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Padding
>
> It seems that the ciphers which run in CBC mode, at least, are padded.
> Wikipedia currently seems to be set to use RC4 128. I'm not sure what, if
> any, padding is used by that cipher. But presumably Wikipedia will switch
> to a better cipher if Wikimedia cares about security.
>
We're currently have RC4 and AES ciphers in our list, but have RC4 listed
first and have a server preference list to combat BEAST. TLS 1.1/1.2 are
enabled and I'll be adding the GCM ciphers to the beginning of the list
either during Wikimania or as soon as I get back.
- Ryan
More information about the Wikimedia-l
mailing list