Hello. Adrian et al. recently published a paper [1] describing new TLS attacks that leverage their ability to easily compute arbitrary discrete logs in 512-bit groups. Proof-of-concept demonstrations are provided in [2]. Mozilla should consider raising the minimum DHE group size from 512 to at least 1024 bits (suggested patch is attached). Note: because of the way NSS currently handles bits vs. bytes when computing sizes, checking dh_p.len < 512/8 effectively allows DH group sizes 505 bits and greater (505 bits requires 64 bytes). Similarly, after applying my patch, NSS will effectively allow DH groups 1017 bits and greater (1017 bits requires 128 bytes). A separate bug should be opened to fix the handling of leading zero bits in length calculations. PS It is my understanding Google Chrome will also be rejecting DH group sizes smaller than 1024 bits. ---- [1] https://weakdh.org/imperfect-forward-secrecy.pdf [2] https://weakdh.org/logjam.html

Though 1024 bit minimums for DHE groups is considerably better than NSS's current 512 bit minimum, it's important to realize the change is not particularly forward-looking. NIST's approximate security equivalencies provides a bit of context: DH Group Symmetric Sec. Size (bits) Strength (bits) 1024 80 2048 112 3072 128 Maybe a better approach than hard-coded minimums is a pref tunable (i.e. security.tls.dhe.min.bits). Ideally, the ecosystem will prioritize convergence towards more secure key agreement mechanisms (e.g. finite field DH with 3072+ bit groups or EC DH with secure curves over large fields). Mozilla can play a key leadership role in shepherding this process.

Since DHE group size security roughly correlates to the same in RSA, NSS et al. probably should have been moved to 1024 bits as a minimum some time ago; it won't be long until 1024-bit RSA gets the axe as well. As a reference site, note that you can use the badssl.com website to test weak DHE group errors: https://dh480.badssl.com/ (currently does generate an error) https://dh512.badssl.com/ (does not generate an error) Given that the low water mark will likely be moving very soon, I will look into creating a dh1024 site sometime in the next day or so. The error for a weak ephemeral key (like many of the crypto errors in FF) is pretty opaque; if we're going to start running into a lot more errors with the killing of 512-bit DHE, we should probably also clean up that error page.

Also, Chromium is set to have this change in (at least) Chrome 45, but it may get backported to earlier versions: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/WyGIpevBV1s They've also already disabled TLS False-Start when DH is used.

I'm unable to track bug 1138554. Can someone please add me to the bug or change the bug's perms? Thanks!

Logjam is already public. Is it necessary to hide bug 1138554 anymore?

It's public now.