Support by various browsers for Perfect Forward Secrecy

Discussion in 'privacy technology' started by MrBrian, Mar 21, 2014.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Background: Perfect Forward Secrecy – how the NSA can monitor encrypted websites and how to prevent it.

    From link contained in SSL: Intercepted today, decrypted tomorrow:
    Client Capabilities: IE 11 / Win 8.1. Notice that "Forward Secrecy" ciphersuites are not first in order of preference for IE 11 on Win 8.1.

    Test your browser's capabilities: https://www.ssllabs.com/ssltest/viewMyClient.html.

    List of some companies that do and don't use Perfect Forward Secrecy: https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what.

    Related Wilders thread: A simple SSL tweak could protect you from GCHQ/NSA snooping.
     
    Last edited: Mar 22, 2014
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you care about Perfect Forward Secrecy, and you're an Internet Explorer user, apparently you should do both of these:
    a) Use IE 11 if possible. IE 10 got bad results - see post #1.
    b) Make all Perfect Forward Secrecy ciphersuites have preference over any non-Perfect Forward Secrecy ciphersuites - see post #3.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Last edited: Mar 22, 2014
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Internet Explorer: Alt key -> File -> Properties. Look at Connection section. If you see "ECDH" then you've got Perfect Forward Secrecy for the given site.

    Firefox: click padlock -> More Information -> Security tab. Look at Technical Details. If you see "ECDHE" or "DHE" then you've got Perfect Forward Secrecy for the given site.

    Edit: see post #20 for possible exceptions.
     
    Last edited: Mar 24, 2014
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Related thread: SSL Labs SSLTest gets a nice update.

    Note: if you're using Win XP, you must use a browser other than Internet Explorer if you want to use Perfect Forward Secrecy.
     
  9. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    I've ran a lot of sites through SSL Labs for fun- with some of the really bad ratings I even tried to contact the site owners and see if they could improve (one of which was a hospital records site still allowing SSL 2).

    But not a lot of sites support Perfect Forward Secrecy.

    edit

    Ha, Patreon has a lot better rating now (was getting a C, now gets an A). I'd like to think I contributed to it. PROBABLY NOT, but I least called it in and they said they'd forward my message to the tech team or whatever. I guess some sites do listen.
     
    Last edited: Mar 23, 2014
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you find a site using the Diffie-Hellman algorithm, could you please tell me?
     
  11. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    If serious, how would I know? Would it show it on the results page of SSL Labs?

    I don't know a ton about HTTPS. Hell, this year I'm just learning about CAs and TLS. And I've tried my best to get the gist of HTTPS Everywhere's how to deploy correctly page.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes it would, but nevermind because I found one now :).
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    SSL Pulse Now Tracking Forward Secrecy and RC4

    I believe that the reason for the huge Forward Secrecy percentage point difference between "Some FS [Forward Secrecy] suites enabled" and "Used with modern browsers" is mostly due to the lack of support for Forward Secrecy on Internet Explorer. For example, use https://www.ssllabs.com/ssltest/ on the sites in post #13.
     
    Last edited: Mar 23, 2014
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In looking at posts #1, #6, #14, and #16, you get a lot better Perfect Forward Secrecy website coverage on most modern non-Internet Explorer browsers than modern Internet Explorer browsers. And if you're using Internet Explorer on Windows XP, you get no Perfect Forward Secrecy at all.
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Perfect Forward Secrecy in the Netcraft Extension:
     
  19. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    'elliptic curve' ?
    Bruce Schneier can break elliptic curve cryptography by bending it to a circle.
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    ECDHE/DHE doesn't necessarily mean true Forward Secrecy:
    https://www.imperialviolet.org/2013/06/27/botchingpfs.html

    Thanks, I didn't know about that.
    Keep in mind though that ECDH does not support Forward Secrecy, ECDHE does. The E stands for Ephemeral and means it uses a different key everytime instead of a static one.
    However, IE somehow displays ECDHE as ECDH. If it says ECDH you should be fine because it doesn't actually support ECDH ciphers, only ECDHE.


    It seems to me that DSA is restricted to 1024 bits by some standards and software.
    Certificates with 1024 bit RSA keys are no longer supported and 2048 bit is the standard now:
    http://portal.chicagonettech.com/news/15/1024-bit-rsa-key-size-end-of-life-announced.aspx

    When using ECDHE/DHE however, that is being used for the key exchange, not RSA.
    Unfortunately, on a lot of sites the DH key size is only 1024 bit(example)
    A lot of server software still uses 1024 bit as the default size , including the popular Apache.
    http://www.gossamer-threads.com/lists/apache/dev/427255
    And a lot of servers don't use the most recent versions, so miss out on improvements on this.
    For ECDHE, a 256 bit curve is often used as default, which is equal to 3072 bits RSA according to SSL Labs.
     
Loading...
Thread Status:
Not open for further replies.