On Fri, Sep 6, 2013 at 1:08 PM, C. Scott Ananian <cananian(a)wikimedia.org>wrote;wrote:
New revelations on NSA capabilities yesterday in the
New York Times: see
https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html for a
jumping off point.
The bottom line seems to be:
1) don't use RC4 (we're already working toward that goal, I believe)
"Someone somewhere commented that the NSA's "groundbreaking cryptanalytic
capabilities" could include a practical attack on RC4. I don't know one way
or the other, but that's a good speculation."
This is simply not helpful. "Someone somewhere", "good speculation".
None
of the articles or released documents say this. This is FUD as of right now.
On Monday I'll be adding the GCM ciphers for TLS 1.2 (I added the change
yesterday: <https://gerrit.wikimedia.org/r/#/c/83043/>). We already have
1.2 enabled with weaker ciphers. We should keep RC4 around for older
browsers that don't have a proper BEAST fix. There's no actual evidence of
a viable attack.
2) don't use the Dual_EC_DRBG PRNG (see
http://crypto.stackexchange.com/questions/10189/who-uses-dual-ec-drbg)
Can someone take a look at our SSL configuration and see if we have
Dual_EC_DRBG enabled? (And if so, turn it off and use a better PRNG!
From my (brief) investigation, this was included in the
FIPS
implementations for openssl, but not otherwise. We don't use FIPS.
- Ryan