Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71731
Return-Path: <rdlowrey@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42492 invoked from network); 29 Jan 2014 16:01:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Jan 2014 16:01:18 -0000
Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.170 as permitted sender)
X-PHP-List-Original-Sender: rdlowrey@gmail.com
X-Host-Fingerprint: 209.85.223.170 mail-ie0-f170.google.com  
Received: from [209.85.223.170] ([209.85.223.170:52911] helo=mail-ie0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 83/42-26556-EC529E25 for <internals@lists.php.net>; Wed, 29 Jan 2014 11:01:18 -0500
Received: by mail-ie0-f170.google.com with SMTP id u16so2245673iet.1
        for <internals@lists.php.net>; Wed, 29 Jan 2014 08:01:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=+2x36lNmW4RbE+VGHO+hlbDmha5XNqKcBrCEIHmOpuA=;
        b=pckwvnyKlbvIIePyDpxBrX9ISBQbrMOTycg39R05qWijirgldKip27JCUnu4KA8A60
         H5fbMxGaOxMSSkI6fCPWtLCvlzB0jy48L57DEJAYRT2iOPZHS4L5lQ1Yp69uDpwMV60U
         K42Giy0QJenWttg1NV1in1H9WsezIJVkW3g2clkF3FVSF2GWdx7m+kK7w52wTaA5rN2N
         C4EP6M5GeLIsJWhjqoQV43fFZjJVim++7cVgqXeQw2tnRe+BMixrOYiEGJJl0j7C8CW3
         XizsDF6Mv8ukt9MtNgshOPiElGGV/FEoP7/KTp2btakOJOnlMeQk3JguJpUTRyf0aOIN
         oXuQ==
MIME-Version: 1.0
X-Received: by 10.42.62.143 with SMTP id y15mr2772461ich.14.1391011275607;
 Wed, 29 Jan 2014 08:01:15 -0800 (PST)
Received: by 10.50.29.140 with HTTP; Wed, 29 Jan 2014 08:01:15 -0800 (PST)
Date: Wed, 29 Jan 2014 11:01:15 -0500
Message-ID: <CAH8Mpnn6KjShXruxYrmhAfSnTT0HZX_Ye-L3fih9Bx25eRfBig@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>, padraic.brady@gmail.com
Content-Type: multipart/alternative; boundary=20cf30223c91f6140004f11e0c5e
Subject: Re: Improved TLS Defaults
From: rdlowrey@gmail.com (Daniel Lowrey)

--20cf30223c91f6140004f11e0c5e
Content-Type: text/plain; charset=ISO-8859-1

> The Mozilla defaults are geared towards achieving perfect forward security
> where possible ...
> The RFC, at a minimum, seems a positive change.

Great! This is the goal.

The settings proposed in the RFC are geared towards disallowing anything
that's unabashedly insecure while still maintaining the broadest possible
support by default (to minimize BC implications). I realize that Padraic
isn't suggesting this but I want to state for the record that I don't
believe it makes sense at this time to try to enforce perfect forward
security as a language-level default. However, it *is* important to move
away from the existing naive default and that's what the RFC proposes.

The nice thing here is that the default cipher setting is *exceedingly*
simple to modify in response to future threats or attack vectors; all we'd
need to do to respond to new information going forward is to modify a
single string.

--20cf30223c91f6140004f11e0c5e--