Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(31)

Issue 703143003: Show something more useful than the number of bits in the cipher key. (Closed)

Created:
6 years, 1 month ago by agl
Modified:
6 years, 1 month ago
Reviewers:
felt
CC:
chromium-reviews, markusheintz_, cbentzel+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Project:
chromium
Visibility:
Public.

Description

Show something more useful than the number of bits in the cipher key. For a very long time, the first element in the security section of the Connection dialog says something like: "Your connection to example.com is encrypted with 128-bit encryption" This is useless because it makes people think that 256 bits must be better than 128. But AES-256-CBC is 256 bits and it's far worse than AES-128-GCM. Also, we had a different message for when bits <= 80, but we don't support any of those ciphers any longer so that could never be triggered. This change switches the message to simply say wheather the cipher suite is decent or legacy. We use the same judgement function as the one for deciding whether a TLS connection is acceptable for HTTP/2. Basically, >= TLS 1.2, forward secure and using an AEAD cipher. Since this text is two clicks down, users will probably never see it. But I'll stop being annoyed every time I see the old message. BUG=none R=felt@chromium.org Committed: https://chromium.googlesource.com/chromium/src/+/71c2b59bc4f1c613a88662ebece9180a88125b61

Patch Set 1 #

Patch Set 2 : g try #

Patch Set 3 : ... #

Unified diffs Side-by-side diffs Delta from patch set Stats (+18 lines, -13 lines) Patch
M chrome/app/generated_resources.grd View 1 chunk +2 lines, -2 lines 0 comments Download
M chrome/browser/ui/website_settings/website_settings.cc View 1 chunk +14 lines, -9 lines 0 comments Download
M chrome/browser/ui/website_settings/website_settings_unittest.cc View 1 2 1 chunk +1 line, -1 line 0 comments Download
M net/ssl/ssl_cipher_suite_names.h View 1 chunk +1 line, -1 line 0 comments Download

Messages

Total messages: 10 (3 generated)
agl
6 years, 1 month ago (2014-11-11 01:34:07 UTC) #2
felt
lgtm
6 years, 1 month ago (2014-11-12 17:33:18 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/703143003/20001
6 years, 1 month ago (2014-11-12 22:16:26 UTC) #5
commit-bot: I haz the power
Try jobs failed on following builders: chromium_presubmit on tryserver.chromium.linux (http://build.chromium.org/p/tryserver.chromium.linux/builders/chromium_presubmit/builds/23805)
6 years, 1 month ago (2014-11-12 22:22:56 UTC) #7
commit-bot: I haz the power
Patchset 3 (id:??) landed as https://crrev.com/71c2b59bc4f1c613a88662ebece9180a88125b61 Cr-Commit-Position: refs/heads/master@{#303935}
6 years, 1 month ago (2014-11-13 00:36:02 UTC) #8
agl
Committed patchset #3 (id:40001) manually as 71c2b59bc4f1c613a88662ebece9180a88125b61.
6 years, 1 month ago (2014-11-13 00:36:06 UTC) #9
lgarron
6 years, 1 month ago (2014-11-18 06:10:58 UTC) #10
Message was sent while issue was closed.
On 2014/11/13 00:36:06, agl wrote:
> Committed patchset #3 (id:40001) manually as
> 71c2b59bc4f1c613a88662ebece9180a88125b61.

So, the cipher bit "strength" is displayed in the full ciphersuite, but this may
not be obvious to everyone. I was about to object that there wasn't a way to
find it for those who (think they) need it, and it took me a while to realize
that it's surfaced as part of the ciphersuite. If you're only looking for "___
bits", you might not notice the cryptic spew of capital letters, underscores and
numbers, or you might not be comfortable assuming that the number in the
ciphersuite is the number that used to go before "bits". (I just did a quick
search, and it seems at least a few sites tell users to look for the phrase "128
bits". Arguably, practically all of those sites are probably outdated, though.)
Server operators might also want to test configs, and be similarly confused at
first.

Perhaps we should just be ready to have a clear answer in case someone
*perceives* that we started hiding information.

But given that the information is available in the ciphersuite, I like the
change. Be as clear and simple as possible, but leave the full details somewhere
for devs. Very Enamely. :-)

Powered by Google App Engine
This is Rietveld 408576698