Improve cryptographic security: Deprecate insecure encryption cipher suites #115
Description
Summary:
Improve cryptographic security by deprecating insecure cipher suites and improving key exchange. Including easy short term improvements and longer term suggestions to modernize the available encryption.
Steps to Reproduce:
When creating a bookmark, Wired Client asks for a cipher suite to use for the server connection.
Most users are not able to make a secure choice there. (Because most users are not familiar with cryptography and also because there are no fully secure cipher suites available at all.)
The available ciphers must be required by the server, not be a client side choice with insecure defaults.
Expected Results:
Wired Client should ideally autonegotiate the best available cipher available from server and client, not ask the user to make a choice they cannot really make in a good manner.
Short term improvement suggestion
Change the default cipher to RSA - AES/256 - SHA512 which ist already implemented and the best available suite at the moment of this writing. It's still not an ideal choice.
Reservations regarding CPU load are unwarranted since all CPUs since 2009 support hardware accelerated encryption with AES. In fact, AES256 with AES-NI (provided via openssl) causes less CPU overhead than Blowfish or 3DES.
Near term improvement suggestion
Remove insecure ciphers from client and server, they also give users and admins a false sense of security:
Remove any cipher that still uses SHA1
SHA1 is an insecure hashing function that has been deprecated for many years now.
RSA - AES/128 - SHA1RSA - AES/192 - SHA1RSA - AES/256 - SHA1RSA - BF/128 - SHA1RSA - 3DES/192 - SHA1
Remove any cipher that still uses BF (Blowfish)
Blowfish is even considered insecure and deprecated by its original author (Bruce Schneier).
RSA - BF/128 - SHA1RSA - BF/128 - SHA256RSA - BF/128 - SHA512
Remove any cipher hat still uses 3DES (Triple DES)
RSA - 3DES/192 - SHA1RSA - 3DES/192 - SHA256RSA - 3DES/192 - SHA512
Provide better guidance until auto negotiation handles this is a secure manner.
At the very least, these insecure ciphers should be explicitly marked as deprecated and insecure to encourage users making better choices by hinting them and providing a better default.
For example, by putting them into a submenu named Insecure ciphers.
For a future release these ciphers should be removed from the client all together. We should give server operators some heads up so they can change their settings in advance should that be necessary.
Actual Results:
Wired Client requires the user to pick from a list of outdated cipher suites without any guidance. This must be handled by the handshake and server requirements.
Wired Client provides an insecure and outdated default putting users unnecessarily at risk.
There's only outdated and some outright insecure ciphers available. (Insecure hashing via SHA1, insecure/outdated symmetric encryption via BF and 3DES.)
There are no modern and secure AEAD cipher suites available. (CHACHA20-POLY1305, AESGCM)
There's no modern key exchange mechanism available that provides forward secrecy. (Only Plain RSA but not ECDHE which would be provided by openssl.)
Regression:
n/a
Notes:
Secure TLS connections should be using one of the following TLS 1.2/TLS1.3 cipher suites:
ECDHE-RSA-CHACHA20-POLY1305ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES128-GCM-SHA256
These cipher suites also implement forward secrecy which is a mandatory property for secure connections these days.
These cipher suites also make use of hardware crypto acceleration, like AES-NI provided by intel/AMD CPUs (or NEON on ARM). These suites therefor cause less CPU overhead on servers.
Version Information:
Wired Client 2.5 (56)