Hacker News new | past | comments | ask | show | jobs | submit login

Looks pretty good. Their configuration could use a larger DHE parameters (2048), replace RC4 with 3DES and enable OCSP Stapling. But it's already in the top 1% for TLS quality!

    $ ./cipherscan pinterest.com
    ................
    Target: pinterest.com:443
    
    prio  ciphersuite                  protocols              pfs_keysize
    1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits
    2     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits
    3     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
    4     DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
    5     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits
    6     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits
    7     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
    8     AES128-GCM-SHA256            TLSv1.2
    9     AES128-SHA256                TLSv1.2
    10    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2
    11    AES256-GCM-SHA384            TLSv1.2
    12    AES256-SHA256                TLSv1.2
    13    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2
    14    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
    15    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2
    
    Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
    TLS ticket lifetime hint: 300
    OCSP stapling: not supported
    Server side cipher ordering



The use of RC4 is odd as it's fairly broken[1]. Misconfiguration?

[1] http://blog.cryptographyengineering.com/2013/03/attack-of-we...


Misconfiguration. All RC4 ciphersuites are explicitly forbidden by RFC, and considered a severe vuln by CVE. https://tools.ietf.org/html/rfc7465


That's a very sudden change. A lot of sites started using RC4 recently because it's immune to BEAST and Lucky13.


Really: no. There is nothing "very sudden" about RC4 exhibiting biases indicating it is weaker than it should be: ask any cryptographer. The break that's about to be disclosed in March is simply a new practical twist on a weakness published more than 10 years ago!

A lot of sites got bad advice. (One might wonder about whether all that advice was truly given in good faith. Maybe.) The real fix for BEAST and Lucky13 is, and always was, to use TLSv1.2 with AEADs like AES_GCM, or CHACHA20_POLY1305. So do that.


Which this site does. They put RC4 at the bottom probably because it is faster than 3DES.


So's NULL, but that doesn't mean you should use it.


75% of alexa's top 1 million have RC4 enabled [1]. It will take a lot of evangelizing to finally get rid of it.

[1] https://securitypitfalls.wordpress.com/2015/03/13/february-2...


…how about a new twist on an old partial plaintext recovery attack that can actually steal passwords in the wild, given a cute name and a logo, being demonstrated in 11 days at Black Hat Asia 2015? I think that might help speed things along a bit.

https://www.blackhat.com/asia-15/briefings.html#bar-mitzva-a...

If you're managing a system, do what the RFC said: turn off RC4 on all the servers and clients. You were warned!


I wonder if this is/was the amazing crypto breakthrough known as BULLRUN, or at least very similar. It seems likely that if academic researchers are now able to extract partial plaintexts from RC4 with nothing more than passive eavesdropping, it's possible that GCHQ/NSA has gone all the way.


It's kind of confusing. BULLRUN/EDGEHILL projects are umbrella cover terms: Secure Communities of Interest regarding general access to NSA/GCHQ (respectively) efforts to defeat network communication technologies such as TLS and IPsec, not particular individual cryptanalytic attacks, vulnerabilities, backdoors or techniques.

I think you want the PICARESQUE ECI compartment, specifically (TS//SI-PIQ). NSA are said to have had a "cryptanalytic breakthrough" which "surprised" GCHQ some years ago. Specific operational details are currently undisclosed, but there have been references to PIQ (PICARESQUE) blades at locations of some TEMPORA full-take feeds processing the (72-hour) network intercept ring buffers in nearline and providing passive decrypts on-site to the backend via crypt attacks. They have only one-way access, and aren't active/QUANTUM (MoTS/MiTM) attacks, or PAWLEYS (key-stealing) attacks. The prevalence of RC4 within TLS (and other protocols) at the time, that it apparently directly provides plaintext decrypts, and RC4's relative weakness, suggest it as the most likely candidate for attack.

So, no, don't use RC4! …not that I've had the opportunity to reverse any of these blades recently, you understand…




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: