4

I came across a mention of the NONE cipher being possible/available for HTTPS.

Is it supported by any browsers for accessing any web-sites over the https:// address scheme?

(What would be a snippet to create a test/one-time https server with the NONE cipher?)

Community
  • 1
cnst
  • 1,884
  • 2
  • 19
  • 30

3 Answers3

4

Is it supported by any browsers for accessing any web-sites over the https:// address scheme?

I think you are referring to TLS_NULL_WITH_NULL_NULL or similar ciphers were no encryption is done. None of the current browsers offers this cipher and I don't think that there will be a reason in the future to offer such more than weak ciphers because you would just get the overhead of TLS without gaining any security.

As for TLS_NULL_WITH_NULL_NULL specifically the RFC 5246 (TLS 1.2) states that is just the initial state and should never be negotiated. There are other ciphers with NULL encryption like TLS_RSA_WITH_NULL_SHA which still offer authentication but since they don't encrypt it is unlikely that you will see these ever offered by the browsers.

For details about the ciphers offered by the various SSL clients see https://www.ssllabs.com/ssltest/clients.html.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Yes I think he's referring to first four cipher suites specified in the [TLS rfc appendix](https://tools.ietf.org/html/rfc5246#appendix-A.5). – puzzlepalace Jan 31 '16 at 22:34
  • @puzzlepalace: Thanks, I've integrated a link to this part of the RFC into the answer. – Steffen Ullrich Jan 31 '16 at 22:40
  • 2
    [RFC 7525](https://tools.ietf.org/html/rfc7525#section-4.1) is a "best practice" document that talks about TLS usage, and it explicitly forbids ("MUST NOT") negotiating a cipher suite that does not include encryption. So not only do current servers and browsers not support them, but it is quite unlikely to change in the future. – Tom Leek Feb 01 '16 at 13:36
1

This is a subset of the TLS (or SSL, for really out of date setups) cipher suite negotiation. I go into more detail in My answer to Recommended ssl_ciphers for security, compatibility - Perfect Forward secrecy, but the long and short of it is:

Per the TLS 1.2 document RFC 5246 starting at section 7.4.1.2 to see, in the short short form, the cipher suite negotiation:

  • ClientHello: The client tells the server which cipher suites the client supports
  • Now the server picks one
    • I'll discuss how to control which one it picks next!
  • ServerHello: The server tells the client which cipher suite it has chosen, or gives the client a failure message.

Therefore, BOTH the client AND the server would have to allow the same NULL cipher suite for it to even be possible, and even if they both allow it, it would have to be the one the server chooses. This would be a horrifically bad setting; even the worst normal failures at ssllabs.com (far right list, look particularly for F's) don't get that bad, though they are vulnerable to just about everything else under the sun.

For your test, create your own server, and put the NULL cipher suite you prefer as the only option. Then either use openssl in client mode, or a browser that supports that NULL cipher suite to test it.

Community
  • 1
Anti-weakpasswords
  • 9,785
  • 2
  • 23
  • 51
  • "it would have to be the one the server chooses" is not a hurdle, because the server is the MITM attacker. So it comes down to whether the client allows it. – user253751 Feb 01 '16 at 00:41
  • 1
    If the server is the attacker, why would it care how strong the cipher suite is? It owns its own end of the connection, so it can decrypt all the traffic regardless. – Anti-weakpasswords Feb 01 '16 at 04:46
  • Do you understand how a MITM attack works? The client's connection is somehow redirected to the attacker, and then the attacker connects to the server normally, and passes the data through. The client thinks they're talking to the server when they're actually talking to the attacker. – user253751 Feb 01 '16 at 08:27
  • 1
    MitM is not part of the original question, so if that was your intention, please add an update to the original question. – Anti-weakpasswords Feb 01 '16 at 08:37
  • I'm not the question asker. – user253751 Feb 01 '16 at 20:04
1

NONE cipher can be available in opera 12. It is disabled by default. There seems to be TLS_RSA_NULL_SHA and SHA2, I have only tested sha. For test server, I used openssl s_server, it also requires some special configuration (NULL cipher not enabled by default). Even, when connection successfully, there were some security warning, in browser. openssl used was 1.0.1, which is old. Command line was: openssl s_server -www -cert [cert] -key [key] -cipher NULL-SHA

yyy
  • 11
  • 1
  • Also, in opera 12, there are available anonymous (null auth) ciphers, these also can be tested with openssl server, but in that case, openssl cannot simultaneously do authenticated connections. – yyy Feb 01 '16 at 09:01
  • Cool! Can you provide more details? You mention that it is disabled by default in Opera -- how did you enable it? (Feel free to post screenshots.) Can you also provide more details about the anonymous ciphers, too, for no authentication? – cnst Feb 01 '16 at 20:16
  • [menu]\settings\preferences\advanced\security\security_protocols\details, there is a list of all available ciphersuites, this includes both null enc [RSA_NULL_SHA; RSA_NULL_SHA256] and null auth [ADH_3DES_SHA; ADH_AES128_SHA256; ADH_AES256_SHA256]. – yyy Feb 02 '16 at 09:43