Announcements 11-20-2015

Google Plans to Deprecate DHE Cipher Suites

The security industry continues to raise standards to keep the Internet’s SSL/TLS communications secure. Google announced in a blog post. This announcement follows several noteworthy browser security advancements for 2015-16.

Earlier this year the they would be ending support for RC4 ciphers in early 2016. In May 2015, Chrome announced that they would “raise the minimum TLS Diffie-Hellman group size from 512-bit to 1024-bit” in Chrome 45. And, in October 2015, and Microsoft announced they are considering ending support for SHA-1 in mid-2016.

When , they pointed out that the move to 1024-bit DHE (the new minimum) was not a long-term solution. Unfortunately, an overwhelming majority of DHE connections (95% as seen by Chrome) continue to use the 1024-bit DHE.

Because of the way DHE is negotiated in TLS, dropping support for 1024-bit DHE would be difficult. So, one of the solutions would be to end support for DHE-based cipher suites all together in favor of the ECDHE-based cipher suites. To better understand the effects of the move from DHE to ECDHE ciphers, Chrome is going to prioritize ECDHE-based ciphers over DHE-based ciphers.

In Chrome 49, DHE-based cipher suites will no longer be offered in the initial handshake between browser and server. If the initial handshake fails, another handshake will be initiated using DHE. In Chrome 49 if a server is negotiating DHE-based cipher suites, forward secrecy will no longer work. For forward secrecy to work, servers will need to be reconfigured to use ECDHE-based cipher suites.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for TrustCore SDK

10-31-2024

Announcing the GA release of Device Trust Manager