crypto/tls: Disable CBC Ciphers by default

[pquerna]

Per @agl on Twitter, the only way to be safe with Go and TLS if you are worried about Lucky13-style attacks is to disable CBC mode ciphers:

https://twitter.com/agl__/status/669182140244824064

Currently none of the CBC ciphers are marked with suiteDefaultOff: https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L75-L95

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

It seems wrong for Go to have insecure defaults for a class of attacks that is becoming more well documented. If there is no willingness to implement countermeasures, shouldn't the vulnerable class of ciphers be disabled by default?

[timcooijmans]

Disabling CBC so will break compatibility with many operating systems and devices. In practice all public-facing Go-services would have to re-enable the CBC-ciphersuites. So the question is wether implementing countermeasures isn't the only viable solution.

[bradfitz]

Perhaps it just needs to be easier to change the global, default ciphersuites without re-wiring up a *tls.Config, *http.Server, *http.Transport, etc.

[pquerna]

@bradfitz such a method would be a good start; http2 is already has a blacklist of ciphers, making a way to more easily control that behavior in the various invocations of cipher configurations / global default would be a great start.

[DemiMarie]

If disabling CBC is not an option, Go needs to implement the appropriate countermeasures in its cryptography (or call out to a third-party library that does so).

Also AEAD ciphers should automatically be preferred when possible.

[timcooijmans]

I agree, as long as CBC is needed to support all commonly used browsers and libraries, fixing CBC is the only solution, no matter how ugly and complex it may be. While disabling CBC ensures a safe-default. The fact that in practice any public service needs to re-enable it, still leads to unsafe situations that could lead to breaches and negative publicity for Go.

[gopherbot]

CL https://golang.org/cl/17532 mentions this issue.

[gopherbot]

CL https://golang.org/cl/18130 mentions this issue.

[gopherbot]

CL https://golang.org/cl/33665 mentions this issue.