[TLS] Security today

To: tls at ietf.org
Subject: [TLS] Security today
From: Mike <mike-list at pobox.com>
Date: Thu, 27 Mar 2008 16:15:01 -0700
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces at ietf.org
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

Is anyone else concerned about the level of security on the
Internet today?  I mean everybody is using 1024-bit RSA keys
which have an estimated 80 bits of security.  (Yet CA's are
happy to claim that you get 128 or even 256 bits of security
using them for SSL.)  RSA Labs even states that 1024-bit keys
are good only until 2010, and they estimate 2048-bit keys
will protect data until 2030.  Why use such small margins
anyway?  Processors are already super fast and getting even
faster.  Who cares if it takes an extra half second to buy a
book if your financial data will be secure for several more
decades?

Not only will 1024-bit keys be broken "soon", but when that
happens, it's not just a matter of replacing keys -- any data
transmitted over a channel using plain RSA key exchange has
no forward secrecy, and is thus exposed.  An added problem is
that lots of websites will purposely ignore higher-security
cipher suites (that do provide forward secrecy) early in the
cipher list and choose RSA_WITH_RC4 preferentially, probably
because it is slightly faster.  Even more fuel to the fire is
the fact that many websites have disabled DHE_* cipher suites
in the past few months (I thought my TLS test client was
broken because sites that I used to connect to with DHE no
longer negotiate it).

What will it take to affect a change in this state of affairs
that treats 1024-bit keys as secure?

Mike
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Security today
  - From: Peter Gutmann
- Re: [TLS] Security today
  - From: Yoav Nir
- Re: [TLS] Security today
  - From: Michael Howard

Prev by Date: Re: [TLS] I-D ACTION:draft-ietf-tls-rfc4346-bis-10.txt
Next by Date: Re: [TLS] Security today
Previous by thread: [TLS] Protocol Action: 'The Transport Layer Security (TLS) Protocol Version 1.2' to Proposed Standard
Next by thread: Re: [TLS] Security today
Index(es):
- Date
- Thread

[TLS] Security today

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.