this post was submitted on 13 Oct 2023
627 points (98.8% liked)

Technology

59322 readers
4321 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 34 points 1 year ago* (last edited 1 year ago) (3 children)

Yeah you can observe this with letsencrypt failing to generate a certificate if you change the elliptic curve from an NSA generated curve to a generic/known safe one. Changing between different NSA curves are functionally fine. Forces all signed certificates to use curves that are known to have issues, deliberate or otherwise - i.e. backdoored.

[–] [email protected] 21 points 1 year ago (1 children)

Can you elaborate on this? Which curves does it happen with? Is there some source that you’ve seen?

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (1 children)

That's worrying if true. However I couldn't find a source. Even if true Let's encrypt is probably the most secure option

[–] [email protected] 1 points 1 year ago (1 children)
[–] [email protected] 4 points 1 year ago

Thanks, I am extremely skeptical and I might just reach out to let's encrypt for clarification

[–] [email protected] 8 points 1 year ago (1 children)

You can't use arbitrary curves with certificates, only those which are standardized because the CA will not implement anything which isn't unambiguously defined in a standard with support by clients.

https://community.letsencrypt.org/t/tls-1-2-and-tls-1-3-need-curve25519-and-curve448-ssl-certificates/200775/3

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (1 children)

My point is that there is a documented listed of supported curves for ECDSA but attempting to use any other safe curve in the list results in a failure. I am not trying to use some arbitrary curve.

If your point is that no safe curve is permitted because the powers that be don't permit it, TLS is doomed.

https://eff-certbot.readthedocs.io/en/latest/using.html#using-ecdsa-keys

The default is a curve widely believed to be unsafe, p256, with no functioning safe alternative.

https://safecurves.cr.yp.to/

That's Bernstein's website if anyone was wondering, showing p256 is unsafe.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

I run a cryptography forum, I know this stuff, and the problem isn't algorithmic weakness but complexity of implementation.

All major browsers and similar networking libraries now have safe implementations after experts have taken great care to handle the edge cases.

It's not a fault with let's encrypt. If they allowed nonstandard curves then almost nothing would be compatible with it, even the libraries which technically have the code for it because anything not in the TLS spec is disabled.

https://security.stackexchange.com/questions/42088/can-custom-elliptic-curves-be-used-in-common-tls-implementations

https://cabforum.org/baseline-requirements-certificate-contents/

CAB is the consortium of Certificate Authorities (TLS x509 certificate issuers)

With that said curve25519 is on its way into the standards

[–] [email protected] 1 points 1 year ago (2 children)

Tldr would be that there are no safe ECC curves in TLS? Yet

[–] [email protected] 2 points 1 year ago

P256 isn't known to be insecure if implemented right, it's just harder to implement right

[–] [email protected] 1 points 1 year ago

The WRC deals with unsafe curves all the time. I think picking a couple of spots on some of their curves at high speed would be interesting. Samir has been known to break some of these...