[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tlsa for smtp to @bugs.debian.org

* Bastian Blank:

> On Fri, Sep 13, 2013 at 10:51:06PM +0200, Kurt Roeckx wrote:
>> I think gnutls by default has a minimum size of 727 for the DH
>> size while openssl doesn't have any check for this.  But if you're
>> using DH you really want to move to something like 2048 if
>> possible.
> This prime size is pretty irrelevant for opportunistic TLS.

Small primes enable passive attacks.  TLS with plain RSA and a large
enough modulus (even 1024 bits isn't that problematic at this point)
is thought to be safe against passive attacks, *even without*
certificate validation.

Curiously, the optional ephemeral Diffie-Hellman part of the TLS
protocol runs in plaintext, which means that it can be attacked
directly, without bothering to attack the RSA part.  As a result, that
dreaded thing called "perfect forward secrecy" is not necessarily an
overall improvement.  It's probably best to disable it altogether,
then the DH interoperability issue disappears as well.  (I'm pretty
sure the current trend to enable it all over the place is mostly due
to its suggestive name.)

Reply to: