Intent to Deprecate and Remove: Pre-standard ChaCha20-Poly1305 ciphers

۱۱۲ بازدید
رفتن به اولین پیام خوانده‌نشده

David Benjamin

خوانده‌نشده،
۳۰ دی ۱۳۹۵، ۱۶:۴۱:۵۳۱۳۹۵/۱۰/۳۰
به blink-dev،net-dev،security-dev،a...@chromium.org،awha...@chromium.org

Primary eng (and PM) emails

a...@chromium.org

awha...@chromium.org


Summary

Remove pre-standard variants of ChaCha20-Poly1305 cipher suites for Chrome 58 (after the current release branches).


Motivation

In 2013, Chrome 31 deployed new TLS cipher suites based on Prof. Dan Bernstein's ChaCha20 and Poly1305 algorithms. These was later standardized, with small tweaks, at the IETF as RFC 7539 and RFC 7905. We shipped the standardized variant early in 2016 with Chrome 49.


Compatibility And Interoperability Risk

Negligible compatibility risk. Only Chromium-based browsers ever implemented the pre-standard variant. TLS parameters are negotiated, so any remaining servers still selecting those ciphers would pick a different cipher suite, likely one based on AES-GCM which we also consider secure. The pre-standard variants were also never shipped by any official releases of commonly-used server software like OpenSSL.


Alternative implementation suggestion for web developers

Use the standardized variant, or AES-GCM.


Usage information from UseCounter

1% of TLS connections from Chrome use these ciphers, compared to 26% which use the standardized ones. Note that those 1% of servers will all simply fall back to another cipher suite. Other browsers did not ship these ciphers.


OWP launch tracking bug

https://crbug.com/682816


Entry on the feature dashboard

https://www.chromestatus.com/feature/5633556340539392


Requesting approval to remove too?

Yes


Chris Harrelson

خوانده‌نشده،
۴ بهمن ۱۳۹۵، ۱۳:۳۵:۴۹۱۳۹۵/۱۱/۴
به David Benjamin،blink-dev،net-dev،security-dev،a...@chromium.org،awha...@chromium.org
LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Jochen Eisinger

خوانده‌نشده،
۴ بهمن ۱۳۹۵، ۱۳:۴۱:۵۶۱۳۹۵/۱۱/۴
به Chris Harrelson،David Benjamin،blink-dev،net-dev،security-dev،a...@chromium.org،awha...@chromium.org

lgtm2


To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Rick Byers

خوانده‌نشده،
۴ بهمن ۱۳۹۵، ۱۳:۵۱:۲۹۱۳۹۵/۱۱/۴
به Jochen Eisinger،Chris Harrelson،David Benjamin،blink-dev،net-dev،security-dev،a...@chromium.org،awha...@chromium.org
LGTM3

When making a change like this we keep an eye on (or have chirp alerts for) the UMA connection error stats to confirm "will all simply fall back to another cipher suite", right? I.e. in the unlikely case there's some popular server bug / misconfiguration that could cause a spike of errors?

lgtm2


To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

David Benjamin

خوانده‌نشده،
۴ بهمن ۱۳۹۵، ۱۴:۳۴:۰۶۱۳۹۵/۱۱/۴
به Rick Byers،Jochen Eisinger،Chris Harrelson،blink-dev،net-dev،security-dev،a...@chromium.org،awha...@chromium.org
Yup. The net team has alerts on various connection error metrics, so we should notice. Although it would take a staggeringly creative server bug to break on this, supposing the server works in any non-Chromium browser.

lgtm2


To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

پاسخ به همه
پاسخ به نویسنده
فرستادن
0 پیام جدید