How DigiCert and its partners are putting trust to work to solve real problems today.
While the world is pushed—or forced—toward digitizing all business processes, workflows and functions, the lessons from the early days of the Internet can be a predictor of success. Learn how Digital Trust can make or break your strategy and how the wrong solution may be setting your organization up for failure in less than three years.
The security industry continues to raise standards to keep the Internet’s SSL/TLS communications secure. Google announced in a blog post plans to deprecate DHE-based cipher suites. This announcement follows several noteworthy browser security advancements for 2015-16.
Earlier this year the major browsers announced they would be ending support for RC4 ciphers in early 2016. In May 2015, Chrome announced that they would “raise the minimum TLS Diffie-Hellman group size from 512-bit to 1024-bit” in Chrome 45. And, in October 2015, Mozilla Firefox and Microsoft announced they are considering ending support for SHA-1 in mid-2016.
When Chrome announced they would be ending support for 512-bit DHE, they pointed out that the move to 1024-bit DHE (the new minimum) was not a long-term solution. Unfortunately, an overwhelming majority of DHE connections (95% as seen by Chrome) continue to use the 1024-bit DHE.
Because of the way DHE is negotiated in TLS, dropping support for 1024-bit DHE would be difficult. So, one of the solutions would be to end support for DHE-based cipher suites all together in favor of the ECDHE-based cipher suites. To better understand the effects of the move from DHE to ECDHE ciphers, Chrome is going to prioritize ECDHE-based ciphers over DHE-based ciphers.
In Chrome 49, DHE-based cipher suites will no longer be offered in the initial handshake between browser and server. If the initial handshake fails, another handshake will be initiated using DHE. In Chrome 49 if a server is negotiating DHE-based cipher suites, forward secrecy will no longer work. For forward secrecy to work, servers will need to be reconfigured to use ECDHE-based cipher suites.