SSL: enable client-side CBC 1/n-1 record splitting #48
Conversation
|
What does this do? Why isn't it a default? A quick google suggests it only applies to "BoringSSL".. |
|
@daurnimator Erm, please excuse the briefness of the comment. I do assume that it's enough for maintainers of security-related projects to remember what this refers to. I didn't take third parties into account, sorry. Some SSL implementations have this, and at least one patch has been filed for OpenSSL. Please remember that GNU/Linux distributions often ship with cherry-picked patches. The reason you need something like that feature in an IV-less TLS variant is this (you get it by searching for »BEAST cbc«): It should be on by default, but isn't because it's, well, relatively (4yrs+) new. The client-side implementation has the upside that – if the server doesn't know that feature – worst case it doesn't break anything. Best case is – when the server knows that feature (BoringSSL does, as does Windows' SCHannel) – you close another attack vector. You cannot neglect that feature because TLSv1.0 is still very common and CBC negotiated quite often. I don't have any numbers at hand (I know Mozilla's telemetry has them for the public), but here's some from 2013: It's time that XMPP servers catch up and optionally exceed the bar browsers set for TL security. |
|
FWIW, I found this comment which where the idea is invented + discussed: https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c59 |
Signed-off-by: W-Mark Kubacki <[email protected]>
|
This should probably be merged. |
|
@brunoos: Can you look here? |
4 participants
To address the BEAST attack vector For ≤TLS 1.0 and CBC ciphers. Effective for s2s connections.
http://googleonlinesecurity.blogspot.de/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html
Signed-off-by: W-Mark Kubacki [email protected]