Google Chrome "Your connection to website is encrypted with obsolete cryptography"

  • Google Chrome is showing new information in the certificate section.

    image

    Is this a big deal? If so how can I fix it on the server end?

    EDIT: Thanks for the answers but I'm not skilled in cryptography so the only thing I can update with is this certificate was created by Shell in a Box, and I was also wondering if this was ruining the security of TLS/SSL communication with the application and if so, how I could fix it.

    This has been coined 'security shaming'. It made the Financial Times http://www.ft.com/cms/s/0/f53fe1ae-c98a-11e4-b2ef-00144feab7de.html

    You may also see "The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."

  • Adm Selec

    Adm Selec Correct answer

    6 years ago

    Your exact case is that RSA is used as the key exchange mechanism. Instead, you should use DHE_RSA or ECDHE_RSA.

    To remove the "obsolete cryptography" warning, you'll need to use "modern cryptography" which is defined as:

    • Protocol: TLS 1.2 or QUIC
    • Cipher: AES_128_GCM or CHACHA20_POLY1305
    • Key exchange: DHE_RSA or ECDHE_RSA or ECDHE_ECDSA

    Twitter discussion: https://twitter.com/reschly/status/534956038353477632

    Commit: https://codereview.chromium.org/703143003

    This has nothing to do with a certificate. There is a special "outdated security settings" warning when a certificate uses weak signature algorithm, but this is about authentication, not about encryption. Note that you are still getting a green lock, even in case of obsolete encryption.

    So how do I generate my private/public keys using ECDHE_RSA? I'm getting the same error as OP, and I'm using this command to generate my keys `openssl req -x509 -newkey rsa:2048 -sha256 -keyout a.key -out a.crt -days 1000 -nodes -subj "..."`. I'm guessing I need to change the rsa:2048 param, but I can't find what I should be changing it to.

    @Rob You do not need to generate new keys - you just have to modify some server settings to allow clients to use at least one of the listed ciphersuites. In apache, this can be done in your VirtualHost configuration file. There is an SSL config generator you can use to make this easier: https://mozilla.github.io/server-side-tls/ssl-config-generator/

    Hey! Thanks for your response! That makes a lot of sense since I didn't understand why the certificate would be the one to dictate this. Unfortunately, I'm not using Apache, I'm using my own web server which is based off of Civetweb, so I'll have to look into that!

    Note for Tomcat, to change from AES_256_CBC to AES_128_GCM you'll have to upgrade from Java 7 to Java 8. See this answer: http://stackoverflow.com/a/21290409/57752

    My understanding is that certificates vouch that a public key belongs to a certain entity. If you are going to change from RSA to, say, DHE_RSA, wouldn't the server need a DHE_RSA public key and thus a new certificate that will vouch for this new public key?

    @Eddie Going from a 256 bit key to a 128 bit key seems like a big downgrade, why isn't 256 CBC just as good or better?

    Windows: from https://www.nartac.com/Support/IISCrypto/FAQ ... your website is using obsolete cryptography if the cipher suite does not support forward secrecy and authenticated encryption (AEAD). The only two cipher suites that support this on Windows using RSA certificates are TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256. Unfortunately those cipher suites use 1024 bits for their Diffie-Hellman parameters which has long been considered weak. The only way to get rid of this warning is to use DSA certificates or wait until Windows 10 Server is released...

    @Michael With a modern block cipher (e.g. AES), 128-bit keys are _good enough_ (in the sense that a brute-force attack is utterly infeasible). 256-bit keys just waste electricity and CPU time. This will change if quantum computers become practical, but we can worry about that then. Changing from CBC to GCM, however, really does increase your security. GCM is a newer, better-designed mode of operation which avoids several known weaknesses in CBC (as used by TLS).

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM