Some thoughts on ways of choosing what TLS ciphers to support
As you might expect, the TLS DROWN attack has me looking at our TLS configurations with an eye towards making them more secure. In light of DROWN I'm especially looking at our non-HTTPS services, the most prominent of these being IMAP. As part of this I've been thinking about various approaches to deciding what TLS ciphers to support or disallow.
(I'm going to use 'cipher' somewhat broadly here; I really mean what often gets called 'cipher suites'.)
There's a number of different principles for picking what cipher suites to support that one could follow here:
- Don't change anything and leave it to the software defaults. This
seems like a bad option in today's Internet world unless you make
sure to run the latest TLS software written by people who
aggressively disable ciphers (at least by default). TLS risks and
attacks just move too fast and TLS library defaults are often set
conservatively (or simply not changed from historical practice,
even when the threats change and some cipher suites become terrible
The good news is that modern TLS libraries generally have disabled at least some terrible ideas, like SSLv2 and export grade ciphers. So some progress is being made here.
- Disable only known to be broken cipher suite options. Today I
believe that this is purely RC4 or MD5 based cipher suites (plus
terrible things like all export grade ciphers, SSLv2, etc).
These are sufficiently dangerous that any client with nothing
better is probably better off failing entirely.
(Certainly we don't want user passwords traveling to us over TLS encryption that's this weak, never mind any other protocol vulnerabilities that they may expose.)
- Disable obscure, rarely used cipher suites as well as known
broken ones. Today I believe that would add at least SEED and CAMELLIA based cipher
suites. I've certainly seen various sites that advise doing this.
(In some environments I believe that DES/3DES cipher suits would also be disabled here.)
- Set your cipher suites to the recommended best settings
from eg Mozilla or other
well regarded sources. These people
have hopefully already worked out both what the good state of
the art is as well as what tradeoffs you need to be broadly
compatible with existing clients. You may need to supplement
this with additional cipher suites if you have unusual clients.
(Mozilla is great for HTTPS services but I'm not sure they've looked at, say, the TLS support levels in various IMAP clients. And current versions of web browsers are probably more up to date than clients for other TLS services.)
- Track your actual client TLS usage and then set your cipher suites to what your users actually need, plus the latest high security ciphers so that new clients or upgraded ones can get the best security possible. The drawback here is making sure you really know all of the cipher suites that your users are using; you may find that people keep turning up with uncommon clients that need new cipher suites added.
Any time you explicitly set the list of TLS cipher suites to use (as opposed to disabling some from the default list), you become responsible for updating this list as new versions of TLS libraries add support for new and hopefully better cipher suites. Sometimes you can be a bit generic in your explicit settings; sometimes sites have you set an explicit list of specific cipher suites. Just disabling things is probably more future proof, although the ice may be thin here.
I don't currently have any opinions on what approach is the best one. Really, I don't think there is a single 'best one'; it depends on your circumstances.