« May 2007 | Main | August 2007 »
July 30, 2007
Firefox Cipher Suites
When your browser connects to a web site protected by transport layer security of some kind (usually by accessing an https:// URL) there's a negotiation between the two parties. Each party (browser, server) comes to the negotiation with a list of cipher suites that it is prepared to use, and the result is that one of these suites is chosen for the connection.
Recently I ran into a situation where Firefox 2.0 wasn't connecting to a site which Firefox 1.5 had no problems with. It's pretty hard to figure out which cipher suites Firefox is prepared to use from its documentation, so I decided to determine the answer directly by snooping on the negotiation part of the protocol.
Read on for method and results.
The easiest way I could find to snoop an SSL/TLS connection is to use the Wireshark protocol analyser running on the client machine. I was pleasantly surprised to find that Wireshark runs just fine in a VMware virtual machine. All you need to do is start up Wireshark and tell it to capture packets going to or from the appropriate port at the server's IP address.
Of course, Wireshark can't always tell you what's going on inside an encrypted connection; it doesn't have a magic wand. Fortunately for my purposes here, the initial cipher suite negotiation is always performed unencrypted and Wireshark is capable of breaking it down in some detail. For example, here's what Wireshark sees Firefox 1.5 sending when it opens an https:// URL:
Secure Socket Layer
SSLv2 Record Layer: Client Hello
Length: 103
Handshake Message Type: Client Hello (1)
Version: TLS 1.0 (0x0301)
Cipher Spec Length: 78
Session ID Length: 0
Challenge Length: 16
Cipher Specs (26 specs)
Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
Cipher Spec: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0x00feff)
Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
Cipher Spec: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0x00fefe)
Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
Cipher Spec: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x000064)
Cipher Spec: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x000062)
Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
Challenge
For the record, the above is from a CentOS 5 system, although I suspect that doesn't matter.
By comparison, the following comes from Firefox 2.0 under Fedora 7:
Secure Socket Layer
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 102
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 98
Version: TLS 1.0 (0x0301)
Random
gmt_unix_time: Feb 6, 1970 14:03:37.000000000
random_bytes: 344D04196CDE0D05A480714440E227729CFD6F94F9AF9689...
Session ID Length: 0
Cipher Suites Length: 24
Cipher Suites (12 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 33
Extension: server_name
Type: server_name (0x0000)
Length: 29
Data (29 bytes)
It's pretty obvious that Firefox 2.0 has tightened things up in several ways. Most obviously, there are far fewer cipher suites offered to the server by Firefox 2.0. In particular, the following are missing:
SSL2_RC4_128_WITH_MD5 SSL2_RC2_CBC_128_CBC_WITH_MD5 SSL2_DES_192_EDE3_CBC_WITH_MD5 SSL2_DES_64_CBC_WITH_MD5 SSL2_RC4_128_EXPORT40_WITH_MD5 SSL2_RC2_CBC_128_CBC_WITH_MD5 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
This is by default; it turns out that if you dig around enough you can turn some of these back on again. You might not want to, though, as they have been removed from the default configuration for good reason:
Cipher suites requiring the SSL V2 protocol have been removed because of the many known issues with the protocol. This accounts for the six
SSL2_removals: SSL V3 and TLS V1 have been around for roughly a decade, so supporting the older broken protocol seems unnecessary.Four
_EXPORT_cipher suites have been removed. These suites use very weak cryptography by modern standards; as the US regulations that required their implementation were loosened some years ago, it again seems unhelpful to continue supporting the weaker systems.Four cipher suites making use of the original DES standard (albeit in its "full strength" form with a 56-bit key) have been removed.
I don't see any real reason to object to any of the above; if you support connections using weak ciphers, you're giving people an unjustified level of assurance about the security of their communications. In that sense, weak cryptography is worse than none at all.
Posted by Ian at 12:34 PM in Cryptography | Comments (2) | Permalink
July 23, 2007
One Day in Europa
One of the client projects I'm working on in the virtual world of Second Life involves generating different effects at different times of the (virtual) day. Second Life's virtual day runs six times faster than the real world's, and there are other interesting differences (the Sun and Moon move in unison, for example) so I thought it would be useful to make a reference movie to show what things look like over a complete cycle.
Let me therefore present One Day in Europa (57MB QuickTime movie), a time-lapse film of a static view from a parcel of land I own in the Europa sim. This reduces the virtual 24-hour day (4-hour elapsed time) to three minutes plus credits. If 57MB seems a bit much, there is a smaller version (23MB) available.
If you click on the thumbnail, you can see the information panel in more detail. The first line includes the number of seconds past local midnight, followed by that same number expressed in hours, minutes, and seconds; finally, the rightmost value gives you the equivalent time on a 24-hour scale.
My thanks to Nick Rothwell of CASSIEL for permission to use a track from their album Listen/Move.
Posted by Ian at 3:44 PM in Virtual iay | Permalink