dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
34
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to caffeinator

Premium Member

to caffeinator

Re: Google disables SSL compression in Chrome against new attack

SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.

I don't know what Name Game See Profile is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.

So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game See Profile thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

You are still funny and if you used opera..you would have done that last year to mitigate the BEAST..I posted that info in many forums myself and you can see it done here

»answers.yahoo.com/questi ··· 5AAjCZy5

»www.phonefactor.com/reso ··· east.pdf

And that is also why I think your panic over Crime..which still not even presented yet... is mostly FUD..Beast was even a bigger problem and caught many with their pants down. Opera is not a guinea pig..it is a browser that has been out there since 1996 and never is really ready for prime time in all of it's development cycle and new versions.
evoxllx
join:2007-06-07
Winter Park, FL

2 edits

evoxllx to Mele20

Member

to Mele20
said by Mele20:

SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.

I don't know what Name Game See Profile is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.

So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game See Profile thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.

The percentage of sites that don't support it is irrelevant when the sites that DO support it are some of the most sought after when it comes to these types of attacks, not to mention some of the largest sites/services on the internet.

Google, Facebook, PayPal, CloudFlare, etc.

The reason it's so slow to rollout is mostly due to buggy network devices and servers.

That being said, Opera lacks many things that I think are more important, such as HSTS and ECDHE support.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Exactly...So I would suggest to everyone who thinks the developer of their chosen browser is not on top of this issue of CRIME or any other vulnerability ...to hold off and see what they do..but if you are so paranoid and think the developer is behind the power curve..then start disabling "whatever"..at least you will learn more about your internet ride than you did last week... or change your browser.... I'll let Chrome change my oil and filter.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Name Game

Premium Member

to Name Game
Click for full size
Sigh. Why are you on such a tear?

The screenshot is from my favorite version of Opera, 10 Preview which I downloaded in Aug 2009. It has no Unite. TLS 1.1 is checked. I've had it checked ever since it first appeared in an Opera version long before Beast attack last year.

You'll note from the screenshot that as far back as August 2009, Opera did not have SSL 2. I caught you out on that so I guess you are trying to get folks to forget that by going on about my being "funny". I believe the description fits you better.

"Panic over Crime"? Where in the world did you get that idea? I am concerned about SPDY because of the possible implications for Proxo and the fact that on Sea Monkey the Fx extension won't install so I can't monitor SPDY usage. My other browsers don't use SPDY. How does this translate to "panic over crime'? Geez...you need to stop posting so much as you appear to be getting things all mixed up.

Stop putting words in my mouth. I never said Opera was a guinea pig. Go back and read what I said. I asked if Opera should be expected to START ACTING LIKE A GUINEA PIG by DEFAULTING to TLS 1.2. I pointed out the EXCELLENT reasons a highly respected security developer gave for why Opera defaults to TLS 1.0. YOU want Opera to be a guinea pig because you fault it for not defaulting to TLS 1.2. I do NOT want Opera to be a guinea pig and it is NOT one.

MeDuZa
join:2003-06-13
Austria

MeDuZa to Name Game

Member

to Name Game
said by Name Game:

Exactly...

Not quite so Exactly.
- Opera(12) has HSTS support. evoxllx is wrong.
- Regarding ECDHE support:
quote:
Opera support Forward Secrecy in the form of the Ephemeral Diffie-Hellman (DHE) cipher suites, but not the Elliptic Curve DHE method Google selected to prioritize (At present Opera does not support Elliptic Curve crypto). Google seem to prioritize the ECDHE and RSA/ARC4 above the DHE methods (there is no DHE_RSA/ARC4 ciphersuite defined, which may explain that part; ARC4 is less costly than AES). AFAICT Google does not support the DHE_RSA methods on their server.

In the list of ciphersuites that Opera sends the server, the DHE_RSA ciphersuites are listed as more preferred than the corresponding RSA ciphersuite, so if the DHE method is not selected it is because the server either does not support the cipher suites (as is the case on google.com), or decided not to select it based on its own list of prioritized ciphersuites.

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller

Premium Member

said by MeDuZa:

said by Name Game:

Exactly...

Not quite so Exactly.
- Opera(12) has HSTS support. evoxllx is wrong.
- Regarding ECDHE support:
quote:
Opera support Forward Secrecy in the form of the Ephemeral Diffie-Hellman (DHE) cipher suites, but not the Elliptic Curve DHE method Google selected to prioritize (At present Opera does not support Elliptic Curve crypto). Google seem to prioritize the ECDHE and RSA/ARC4 above the DHE methods (there is no DHE_RSA/ARC4 ciphersuite defined, which may explain that part; ARC4 is less costly than AES). AFAICT Google does not support the DHE_RSA methods on their server.

In the list of ciphersuites that Opera sends the server, the DHE_RSA ciphersuites are listed as more preferred than the corresponding RSA ciphersuite, so if the DHE method is not selected it is because the server either does not support the cipher suites (as is the case on google.com), or decided not to select it based on its own list of prioritized ciphersuites.

ECC needs to become the standard already. It is much more efficient than RSA (it uses much smaller keys, but they are equally secure at a smaller size). Instead of a 2048 bit RSA key, you can get equivalent strength from a 224 bit ECC key, which makes it much faster and efficient.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Mele20

Premium Member

to Mele20
Some people are still using older versions of Opera just like you are still using Firefox versions 4.0.1 28.
You also have the new Sea Monkey 2.12.1 which became available 10 September, 2012 which now has Spdy.
so get an older version
»dev.oldapps.com/seamonke ··· key=8200

This SPDY thing you are on about trying to destroy Proxo is still funny and the only guinea pigs (no caps needed) I know with Opera are the users who try to get their final releases to work over the years. That's why many stick with older versions. Sound familiar ?