Hacker News new | past | comments | ask | show | jobs | submit login

What worries me here, is a cargo-cult following of this advice.

Ephemeral Diffie-Helman adds an order of magnitude to the session initiation overhead (nginx got a bad rap a little while back, becuase it has kEDH enabled by default). I don't want to see people slide back into the "SSL is too expensive" mindset, because they don't understand the SSL options they are using.




I think this is a reasonable concern about DHE, but this blog post was specifically intended to rebut the concern: they optimized DHE and use EC (faster, smaller keys), and managed to get it deployed across all of Google. The subtext is that one reason DHE isn't widely deployed is poor implementation, and they've taken a step towards correcting it.


Thanks - I missed the DHE optimizations, and it's really nice to see that these improvements were immediately fed back into OpenSSL.


The post made it sound like just the bugfixes are in 1.0.0e, but the performance improvements may have not been accepted yet. I wonder if that is the case?

This is good to see, and I really appreciate the work google has put into making tls/ssl more pervasive.

I do wonder about the performance differences between their faster DHE implementation and what they were using before (RSA-RC4-SHA). I wish they had provided a bit of data on that.


It kind of has to be less performant, just because ECDHE uses more bignum crypto primitives.


Yeah, that makes sense.

I was mostly curious about how much faster their new implementation was over the old, and how much slower it was than RSA-RC4-SHA.


I think that with the session resumptions they got by using session tickets, this could easily end up being a net gain for them.


DH over elliptic curves is definitely fast enough for general purpose use, but on low-power devices it could be problematic. I think a better approach is the one I used in spiped: Each connection can pick whether to do a DH computation and get forward secrecy or to instead use a DH exponent of zero and still get regular secrecy.

Alas, SSL doesn't support such a mechanism.


Why can't the client just not list the DH cipher suites in the Client Hello?


People might turn on EDH and then decide it's too expensive, or if they come under attack, they can easily configure it off again.

Unlike, say, the new mandatory 2048 bit RSA key length requirements.


Seems like a lot of folks missed the section of the post explaining their implementation and use of _ECDHE_ not _EDH_. The performance impact of ECDHE is surprisingly small.


It doesn't help that Apache has a setting "kEDH - Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)" and "EDH - all ciphers using Ephemeral Diffie-Hellman key exchange" that (I think) maps to what IETF TLS calls "DHE - Ephemeral DH".

I get these confused all the time, and now they add in an "EC" prefix!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: