On Fri, Sep 6, 2013 at 1:08 PM, C. Scott Ananian cananian@wikimedia.orgwrote:
New revelations on NSA capabilities yesterday in the New York Times: see https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html for a jumping off point.
The bottom line seems to be:
- don't use RC4 (we're already working toward that goal, I believe)
"Someone somewhere commented that the NSA's "groundbreaking cryptanalytic capabilities" could include a practical attack on RC4. I don't know one way or the other, but that's a good speculation."
This is simply not helpful. "Someone somewhere", "good speculation". None of the articles or released documents say this. This is FUD as of right now.
On Monday I'll be adding the GCM ciphers for TLS 1.2 (I added the change yesterday: https://gerrit.wikimedia.org/r/#/c/83043/). We already have 1.2 enabled with weaker ciphers. We should keep RC4 around for older browsers that don't have a proper BEAST fix. There's no actual evidence of a viable attack.
2) don't use the Dual_EC_DRBG PRNG (see
http://crypto.stackexchange.com/questions/10189/who-uses-dual-ec-drbg)
Can someone take a look at our SSL configuration and see if we have Dual_EC_DRBG enabled? (And if so, turn it off and use a better PRNG!
From my (brief) investigation, this was included in the FIPS
implementations for openssl, but not otherwise. We don't use FIPS.
- Ryan