Google and Amazon do not offer ciphers using Diffie-Hellman Ephemeral mode.

[root@jne-f14 cnark]# ./cnark.pl –host amazon.com –port 443
….
SSL Certificate Information…

Certificate Commmon Name: www.amazon.com

Testing SSLv2 Ciphers…
DES-CBC3-MD5 — 168 bits, High Encryption
RC2-CBC-MD5 — 128 bits, Medium Encryption
RC4-MD5 — 128 bits, Medium Encryption

DES-CBC-MD5 — 56 bits, Low Encryption
EXP-RC2-CBC-MD5 — 40 bits, Export-Grade Encryption
EXP-RC4-MD5 — 40 bits, Export-Grade Encryption

Testing SSLv3 Ciphers…
DES-CBC3-SHA — 168 bits, High Encryption
RC4-SHA — 128 bits, Medium Encryption
RC4-MD5 — 128 bits, Medium Encryption

DES-CBC-SHA — 56 bits, Low Encryption
EXP-DES-CBC-SHA — 40 bits, Export-Grade Encryption
EXP-RC4-MD5 — 40 bits, Export-Grade Encryption

Testing TLSv1 Ciphers…
AES256-SHA — 256 bits, High Encryption
DES-CBC3-SHA — 168 bits, High Encryption
AES128-SHA — 128 bits, High Encryption
RC4-SHA — 128 bits, Medium Encryption
RC4-MD5 — 128 bits, Medium Encryption

DES-CBC-SHA — 56 bits, Low Encryption
EXP-DES-CBC-SHA — 40 bits, Export-Grade Encryption
EXP-RC4-MD5 — 40 bits, Export-Grade Encryption

[root@jne-f14 cnark]# ./cnark.pl –host google.com –port 443

SSL Certificate Information…

Certificate Commmon Name: www.google.com

Testing SSLv2 Ciphers…

Testing SSLv3 Ciphers…
AES256-SHA — 256 bits, High Encryption
DES-CBC3-SHA — 168 bits, High Encryption
AES128-SHA — 128 bits, High Encryption
RC4-SHA — 128 bits, Medium Encryption
RC4-MD5 — 128 bits, Medium Encryption

Testing TLSv1 Ciphers…
AES256-SHA — 256 bits, High Encryption
DES-CBC3-SHA — 168 bits, High Encryption
AES128-SHA — 128 bits, High Encryption
RC4-SHA — 128 bits, Medium Encryption
RC4-MD5 — 128 bits, Medium Encryptio
n

So….where are all the ciphers incorporating DHE (Diffie-Hellman Ephemeral mode), such as DHE-RSA-AES256-SHA?

What does this mean for the typical user?

Simply put: Google and Amazon are capable of decrypting all of their HTTPS traffic using only their private keys.  Some of the possible reasons why they would prefer to use these non-DHE ciphers: ease of debugging or dealing with government subpoenas asking for detailed traffic records.

However, what if the private keys have been compromised by outsiders getting a copy of the private keys? This could be accomplished by either 0-day exploits or social engineering (including, but not limited to, bribing internal staff). These outsiders would be capable of decrypting fully captured HTTPS sessions and be able to sniff out sensitive information such as credit cards, addresses, messages, etc.

Can the users fully (and more importantly, continually) trust that the private keys are not in possession of anyone outside Google or Amazon? Ciphers using DHE go a long way to add another layer of protection against this possible scenario.  DHE ciphers could, in a way, be viewed as the last line of defense in case the server private keys have been leaked. How about it, Google and Amazon? There’s room to improve the security for your web traffic/transactions…

This entry was posted in Web/Tech. Bookmark the permalink.