During the 31st CCC congress, the german newspaper Der Spiegel released some documents on attempts to break and/or weaken TLS/SSL. This will be a good reason for us to review the BetterCrypto recommendations fully. Stay tuned.
The Poodle killed it
The POODLE attack pretty much killed SSLv3 which we did not recommend very much anyway anymore. Our bettercrypto guide generally does not recommend SSLv3 for Webservers. You will find in our guide that we generally always excluded SSLv3:
SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\ EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\ +SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\ !ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
SSLProtocoldisables SSLv3, however the Cipherstring on first sight seems to enable it again. This is however not the case! The abbreviation
SSLCipherSuitestring simply enables certain cipher combinations. It does not enable SSLv3!
Aaron (K.), azet and David will be holding a bettercrypto talk at hack.lu 2014.
This whitepaper arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security specialists saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.
Initiated by Aaron Kaplan (CERT.at) and Adi Kriegisch (VRVis), a group of specialists, cryptographers and sysadmins from CERTs, academia and the private sector joined forces to write such a concise, short guide.
This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.). It is completely open sourced, every step in the creation of this guide is public, discussed on a public mailing list and any changes to the text are documented in a publicly readable version control system.
Aaron (K.) presented the bettercrypto project at the RIPE meeting 68 in Warsaw on Tue, 13th of May. The slides can be found here.
LinuxwochenAaron (azet) presented the bettercrypto project at the Vienna Linuxwochen. In addition, Berg held a bettercrypto workshop there as well! His workshop notes are on github aswell.
To all people at the CCC:
We need your help!
Good open source cryptography is essential to security. Correctly implementing this is often a complex riddle. This project aims to provide an open source guide to applied crypto hardening.
So what can you do?
- Read our paper
- Review it
- Test it and implement it
- Give us your feedback on the mailing list
- Send us patches or pull requests