Main Archive Page > Month Archives  > websecurity archives

Re: [WEB SECURITY] Help needed explaining SSL cipher suite strength to non-security administrators

From: Neil Smithline <neil-webappsec-org_at_nospam>
Date: Wed Oct 10 2007 - 11:24:12 GMT
To: "Martin O'Neal" <martin.oneal@corsaire.com>

Martin - I think that is a good idea. If I may extend it, presenting the cipher suites by the standards they meet that really allows the user to pick a level of security by the standard. I think this is far from perfect still but a much more reasonable selection.

Thanks for the clever idea Martin.

• Neil
  • Original Message -------- Subject: Re: [WEB SECURITY] Help needed explaining SSL cipher suite strength to non-security administrators From: Martin O'Neal <martin.oneal@corsaire.com> To: Neil Smithline <neil-webappsec-org@smithline.net>, Web Security <websecurity@webappsec.org> Date: 10-10-07 02:16

>
>> In theory I'd like to be able to just line the suites in order...
>
> Personally I wouldn't give them too much of a choice. Drop the known
> weak cipher sets (all SSLv2 support, all NULLs etc) then simply make a
> call as to what is your minimum acceptable symmetrical key size is
> (http://en.wikipedia.org/wiki/Key_size). However, this may be
> ultimately determined by any standards you (or your clients) may be
> required to comply with, like any of the banking, auditing or card
> handling standards. Many require a 128-bit minimum, an some specify the
> acceptable symmetrical algorithms.
>
> Martin...
>
>
>
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY: This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited. If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER: Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, registered in England No. 3338312. Registered
> office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
> Telephone: +44 (0)1483-226000
>
>
>

---

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

• This message: [ Message body ]
• Next message: Joe White: "[WEB SECURITY] xkcd: Exploits of a Mom (SQL injection humor)"
• Previous message: Martin O'Neal: "RE: [WEB SECURITY] Help needed explaining SSL cipher suite strength to non-security administrators"
• Maybe in reply to: Neil Smithline: "[WEB SECURITY] Help needed explaining SSL cipher suite strength to non-security administrators"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]