duckduckgo.com with TLS 1.2 + PFS + AES 256-bit

<hidden> anonymous
Created: 4 years and 11 months ago
Hey guys,

can you please integrate a cipher suite for:

TLS 1.2 + PFS (Perfect Forward Secrecy) + AES 256-bit

https://www.ssllabs.com/ssltest/analyze....

-> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA is missing!

thanks!

This forum has been archived

Thank you all for the many comments, questions and suggestions. Particular thanks go to user x.15a2 for constantly monitoring, replying and helping so many users here. To continue these discussions, please head over to the DuckDuckGo subreddit.


anonymous
Good article cheers
posted by <hidden> • 4 years and 11 months ago Link
anonymous
I agree, currently DDG uses RC4_128 with SHA1, but given the latest reveals regarding NSA they are totally compromised...
posted by <hidden> • 4 years and 11 months ago Link
caine
for various reasons this was not possible until now. it should be rolling out shortly: https://www.ssllabs.com/ssltest/analyze....
posted by caine Staff4 years and 11 months ago Link
anonymous
Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
http://blog.ivanristic.com/2013/08/confi...


This Cipher Suite should be the recent best solution:

EXAMPLE for Apache:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"


EXAMPLE for Nginx:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";


So your ordered SSL cipher preference list should look like this:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-RC4-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-RC4-SHA
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA


I think this would be a good, modern secure solution.
posted by <hidden> • 4 years and 11 months ago Link
anonymous
I have been wondering about cipher suites too. At the very least can we get ECDHE-RSA-AES128-GCM-SHA256 for the preferred key? Thanks.
posted by <hidden> • 4 years and 4 months ago Link