[LINK] RFI: The Key-Length Currently Needed for SSL Security
Kim Holburn
kim at holburn.net
Fri Dec 10 10:26:21 AEDT 2010
Looks to me like the server has been configured badly. A thing that is terribly easy to do where encryption is concerned. In this case the server is creating a temporary random number for the purposes of diffie hellman key exchange which is too small and thus insecure. This is nothing to do with the server certificates, it is to do with the initial handshaking at the start of the encrypted session.
On 2010/Dec/10, at 10:10 AM, rene wrote:
> On Thu, 9 Dec 2010 14:43:20 -0800, Scott Howard wrote:
>
>> On Thu, Dec 9, 2010 at 1:58 PM, Roger Clarke
>> <Roger.Clarke at xamax.com.au>wrote:
>>
>>> [The article below suggests that the Chrome browser refuses to
>>> permit interactions with web-sites that use [presumably, symmetric]
>>> keys [presumably, for data encryption] shorter than 1024 bits.
>>>
>>>
>> The obvious thing they would be referring to here is the length of
>> the servers private key. The standard minimum for these for years
>> has been 1024 bits, although it's recently been bumped to 2048 bits.
>>
>> However, the Citilink site - presuming they are referring to is
>> www.citylink.com.au - is using a 1024 bit private key, and given that
>> the key isn't a new one (dated 2008) it's unlikely that they changed
>> it recently...
>>
>> TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 1024 bit
>
> This morning a blogger has posted a copy of the actual error message shown
> by Chrome on accessing the citilink site:
>
> http://www.geekrant.org/2010/12/10/citylink-poor-security/
>
> Perhaps the "technical details" section of the error message may enable
> persons who know quite a bit about SSL to determine what the problem
> actually is.
>
> Irene
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
--
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408 M: +61 404072753
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link
mailing list