[webkit-dev] Request for position: Removing 3DES from TLS

Alex Christensen achristensen at apple.com
Wed Apr 28 16:14:25 PDT 2021 

They are aware of this thread now, but I can’t comment on any future plans.  I do have a few quick questions, though. 

A quick glance at the client hellos sent by browsers shows this:
Safari on Big Sur sends TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) and TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) in its supported cipher suites section of the client hello.
Firefox 88 sends TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Chrome 90 sends no cipher suites with 3DES.

This might be why Chrome measures 0.00% use of TLS_RSA_WITH_3DES_EDE_CBC_SHA - because it doesn’t advertise that it supports it.  It seems to me that you’ve already removed support for 3DES in Chrome.  What was the measured use of 3DES cipher suites in the release before you removed support?  We have measured slightly above 0.00% use in a browser that does send 3DES cipher suites in its client hellos.

If you haven’t already removed support, how would one use it?  I’ll admit I haven’t gone through all the possibilities of renegotiation that TLS has.

> On Apr 28, 2021, at 8:21 AM, Alex Christensen via webkit-dev <webkit-dev at lists.webkit.org> wrote:
> 
> Your measurement of 0.00% use in Chrome is exciting.
> 
> Making this change would almost certainly not be a change in WebKit but I’ve reached out to the people who manage our crypto code.
> 
>> On Apr 28, 2021, at 7:14 AM, Michael Catanzaro via webkit-dev <webkit-dev at lists.webkit.org> wrote:
>> 
>> 
>> Looks like this change is clearly safe.
>> 
>> I doubt Safari controls its own TLS ciphersuite settings. In WebKitGTK, they're controlled by the operating system's TLS backend and crypto policy. 3DES has been disabled for a while now on modern systems, and users have not reported any compat issues, which is not surprising given your finding of 0.00%.
>> 
>> Michael
>> 
>> 
>> _______________________________________________
>> webkit-dev mailing list
>> webkit-dev at lists.webkit.org
>> https://lists.webkit.org/mailman/listinfo/webkit-dev
> 
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev

More information about the webkit-dev mailing list