Primary eng (and PM) emails
Summary
Remove support for the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite in M93.
Motivation
TLS_RSA_WITH_3DES_EDE_CBC_SHA is a remnant of the SSL 2.0 and SSL 3.0 era. 3DES in TLS is vulnerable to the Sweet32 attack. Being a CBC cipher suite, it is also vulnerable to the Lucky Thirteen attack. The first replacement AES cipher suites were defined for TLS in RFC3268, published around 19 years ago, and we’ve had several iterations since.
The cipher suite is slow and CPU-intensive. On mobile, this translates to wasted battery. 3DES is, itself, expensive, and we have more efficient constructions than CBC. The mitigations needed to avoid the Lucky Thirteen attack add a further penalty. In total, on a fast desktop workstation, we can only process 32MB/s with 3DES, while AES-128-GCM with hardware acceleration hits 5.6GB/s. With all hardware and vector operations disabled, that workstation still hits 159M/s with AES-128-GCM and 480MB/s with ChaCha20-Poly1305.
Finally, many implementations of 3DES leak cache and timing side channels. This includes ours and OpenSSL’s, used in many servers. While it is possible to avoid this with a “constant-time” implementation, as we do for modern ciphers, this would even further increase 3DES’s CPU penalty. BearSSL reports a 3x hit for a constant-time implementation.
Interoperability and Compatibility Risk
Servers that only support TLS_RSA_WITH_3DES_EDE_CBC_SHA and no AES-based alternative will fail to connect. With the removal of TLS 1.0 and 1.1, 3DES usage has fallen away. See metrics below. Note TLS features are negotiated, so servers that support both modern cipher suites and 3DES will continue to work as before. There is no requirement to disable 3DES on the server, only enable replacements.
Edge: Supported, no signals on removal
Firefox: Supported, bug open and a previous attempt at removal four years ago
Safari: Supported, no signals on removal
Alternative implementation suggestion for web developers
Enable a modern cipher suite. We recommend enabling TLS 1.3 or, if not available, enabling TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with TLS 1.2. This should be a configuration-only change: all TLS 1.2 implementations we are aware of already implement modern cipher suites.
As a temporary workaround, enterprise administrators will be able to set the 3DESEnabled administrative policy to re-enable the cipher suites. This policy will also be available in Chrome 92 to help administrators test their networks ahead of the Chrome 93 change. It will be removed in Chrome 95, which will hit the stable channel in October 2021.
Usage information from UseCounter
Since Firefox’s previous attempt four years ago, 3DES usage has declined, and we added a fallback for more accurate measurements. The Net.SSL_CipherSuite histogram now reports 0.00% of TLS connections in Chrome stable use 3DES.
Entry on the feature dashboard
This is a good thing to do, and I'm happy to see the intent.A few questions prior to LGTMing:1. Regarding signals: we've coordinated with other vendors in the past on deprecations like these. Are you in contact with our colleagues regarding their timelines? If you haven't already, I'd suggest getting more official signals via the approaches documented in https://bit.ly/blink-signals, which could provide an opportunity for explicit alignment on timelines.
2. Have y'all thought about wiring ciphersuite changes up to devtools in some way to make it clear to developers who care to look that they're doing something that's going to stop working? Similarly, it would be helpful to give developers something of a roadmap: what's next on the list? Can we start warning about it on the security panel today?
3. I'm happy to see the enterprise policy, as that seems like the most likely vector for unexpected usage. Thanks for thinking that through!I don't think this particular deprecation requires a TAG review (based on some previous conversations, I somewhat expect them to punt such a question to the relevant group in the IETF). Is there some indication of broad support from that body for this change? It seems somewhat obvious to me that this is a good idea, but having a signal we could point to would be helpful.
Hey everyone,Is there any chance that this could send a Deprecation Report via the Reporting API along with such deprecations in the future? Regarding Mike's earlier comment, this is probably a better way to notify developers that want to know about such intents rather than hoping someone will catch it in Dev Tools!
--You received this message because you are subscribed to the Google Groups "blink-dev" group.To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAF8qwaAreYrLvFkgwf02e0Oz3U-agHXSivAATRVA1gxgOpkRRA%40mail.gmail.com.
On Wed, 28 Apr 2021 at 15:26, David Benjamin <davi...@chromium.org> wrote:
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/5fe8657a-f78e-47b5-b87f-ffdc33b65316n%40chromium.org.
LGTM1. The usage numbers are as low as they can go, and our friends at Mozilla are on board. Good luck with the removal!For the future:1. I think the reporting API integration that Scott asks for is pretty reasonable to aim for when we deprecate the next cipher suite.
2. Putting a die-die-die draft together with our friends in the IETF for posterity also seems reasonable. I'm happy to help with that.
LGTM2(Enterprise policy may be a good thing but I think you can check that outside this decision)
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAF8qwaCWqmhHJQdRuKG4aVUBXQq_8sHFKECjuTq6Cib-%3DyiniQ%40mail.gmail.com.
Primary eng (and PM) emails
Summary
Remove support for the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite in M93.
Motivation
TLS_RSA_WITH_3DES_EDE_CBC_SHA is a remnant of the SSL 2.0 and SSL 3.0 era. 3DES in TLS is vulnerable to the Sweet32 attack. Being a CBC cipher suite, it is also vulnerable to the Lucky Thirteen attack. The first replacement AES cipher suites were defined for TLS in RFC3268, published around 19 years ago, and we’ve had several iterations since.
The cipher suite is slow and CPU-intensive. On mobile, this translates to wasted battery. 3DES is, itself, expensive, and we have more efficient constructions than CBC. The mitigations needed to avoid the Lucky Thirteen attack add a further penalty. In total, on a fast desktop workstation, we can only process 32MB/s with 3DES, while AES-128-GCM with hardware acceleration hits 5.6GB/s. With all hardware and vector operations disabled, that workstation still hits 159M/s with AES-128-GCM and 480MB/s with ChaCha20-Poly1305.
Finally, many implementations of 3DES leak cache and timing side channels. This includes ours and OpenSSL’s, used in many servers. While it is possible to avoid this with a “constant-time” implementation, as we do for modern ciphers, this would even further increase 3DES’s CPU penalty. BearSSL reports a 3x hit for a constant-time implementation.
Interoperability and Compatibility Risk
Servers that only support TLS_RSA_WITH_3DES_EDE_CBC_SHA and no AES-based alternative will fail to connect. With the removal of TLS 1.0 and 1.1, 3DES usage has fallen away. See metrics below. Note TLS features are negotiated, so servers that support both modern cipher suites and 3DES will continue to work as before. There is no requirement to disable 3DES on the server, only enable replacements.
Edge: Supported, no signals on removal
Firefox: Supported, bug open and a previous attempt at removal four years ago
Safari: Supported, no signals on removal
Alternative implementation suggestion for web developers
Enable a modern cipher suite. We recommend enabling TLS 1.3 or, if not available, enabling TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with TLS 1.2. This should be a configuration-only change: all TLS 1.2 implementations we are aware of already implement modern cipher suites.
As a temporary workaround, enterprise administrators will be able to set the 3DESEnabled administrative policy to re-enable the cipher suites.