On Tue, 1 Jul 2014 10:11:21 +0200 Rocki Hack <rocki.hack@xxxxxxxxx> wrote: > The problem is that the server cert chain is invalid. > > It sends: StartCom Class _1_ Primary Intermediate Server CA > (f691fc87efb3135354225a10e127e911d1c7f8cf) > > But should be: StartCom Class _2_ Primary Intermediate Server CA > (a1ace4046b6e332232b87ecfb6f37a0763720147) hoppala ~ good catch. :) thanks. It's all good now. > > > Actually, my connection is encrypted with AES-256. Maybe 128bit is a > setting your browser likes. > > _Server_-preferred order (top-down): > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 521 bits (eq. 15360 > bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH > 521 bits (eq. 15360 bits RSA) FS 128 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > (0x9f) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > (0xc028) ECDH 521 bits (eq. 15360 bits RSA) FS 256 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > (0xc014) ECDH 521 bits (eq. 15360 bits RSA) FS 256 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > (0x6b) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA > (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > (0xc027) ECDH 521 bits (eq. 15360 bits RSA) FS 128 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > (0xc013) ECDH 521 bits (eq. 15360 bits RSA) FS 128 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > (0x67) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128more... > > AES-128 bit key is completely fine because of Diffie Hellman Key Exchange > (DHE) and Forward secrecy (FS). > I would _enforce_ forward secrecy and disable 3DES and other ciphers. > > > > > > 2014-07-01 7:05 GMT+02:00 Niklas Lemcke - 林樂寬 <compul@xxxxxxxxxxxxxx>: > > > On Mon, 30 Jun 2014 23:26:16 -0400 > > Kyle Marek <psppsn96@xxxxxxxxx> wrote: > > > > > On 06/30/2014 11:16 PM, Stephen R Guglielmo wrote: > > > > On Mon, Jun 30, 2014 at 5:06 PM, Bill Cox <waywardgeek@xxxxxxxxxxxxxx> > > wrote: > > > >> I get a security warning about an untrusted certificate when I point > > > >> FireFox to https://ciphershed.org. I don't know if this is supposed > > > >> to still happen or not... > > > > I don't get an error either right now, using Firefox Beta 31.0. I do, > > > > however, get this on certain computers at work that are using a very > > > > outdated version of internet explorer. > > > > > > > The SHA1 fingerprint of the certificate i am recieving is > > > 62:A2:09:4E:DD:A5:6C:E4:09:24:58:59:31:38:15:38:37:0A:4C:A4. > > > > > > I also noticed, while checking the fingerprint, the encryption only has > > > 128-bit keys. > > > > Actually, my connection is encrypted with AES-256. Maybe 128bit is a > > setting your browser likes. Both AES256 and AES128 (and even 3DES) are > > allowed by the server (gotta think about disabling 3DES maybe). > > > > Either way though, AES128 should be perfectly fine, considering that it > > equals an RSA key length of 3072bit. While the server is sporting a > > 4096bit RSA key, there is no remotely equivalent AES bitlength (192bit ~ > > 7680bit RSA, which is not available in gpg) to that. So even if we would > > all encrypt with AES256, we would only get a tad more security because > > of the limitations of RSA key lengths. > > > > Also I have the same fingerprint as you do. > > > > > > > > ------------------------------------------------------------------------ > > > > > > At the time of sending this message, I have not been contacted by > > > any government official or worker regarding my participation in > > > CipherShed or any related project. I have not been asked to supply any > > > information to them that may be used to impersonate me nor have I been > > > asked to aid the government or it's officials or workers in modifying > > > part of CipherShed or any related project. I am not aware of any of my > > > property or anything regarding me being bugged, searched, or compromised > > > in any way. Anything that accepts PGP encryption or signing should have > > > been cryptographically secured with my PGP key. > > > > > > -- > > Niklas - 林樂寬 > > -- Niklas - 林樂寬
Attachment:
signature.asc
Description: PGP signature
