Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/sophieschmieg/statuses/114246198316571001">Sophie Schmieg (sophieschmieg@infosec.exchange)'s status on Saturday, 29-Mar-2025 23:35:38 JST</a><a href="https://infosec.exchange/@sophieschmieg" title="sophieschmieg@infosec.exchange"><img src="https://gnusocial.jp/avatar/41310-48-20241001225805.webp" width="48" height="48" alt="Sophie Schmieg" style="position: absolute; left: 0; top: 0;">Sophie Schmieg</a><div><a href="https://infosec.exchange/@sophieschmieg/114244301906757754" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/38360" title="gossithedog@cyberplace.social">Kevin Beaumont</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@sawaba">@sawaba</a> <a href="https://cyberplace.social/@GossiTheDog">@GossiTheDog</a> for small to medium sized businesses that are not doing anything more adventurous than TLS when it comes to cryptography, my advice would be, if there is some free engineering capacity, to turn on 0x11EC (X25519-ML-KEM768) in their TLS config, assuming their stack supports the cipher. (The various different stacks are adding support for that currently)<br>That way, you can check if anything breaks, with both Chrome and Firefox negotiating that cipher by default, and Safari rolling out support for it. The main risk is with middleware breaking. <br>In that threat model, it may not be the most urgent task, but it's relatively simple, depending on the used TLS stack. You can also turn on the equivalent KEX in SSH (supported in OpenSSH). Otherwise, in that threat model, I wouldn't do much at all (and even these two things are mostly optional, unless there are very strict long term confidentiality concerns).<br>Of course, if your threat model is more adventurous, you might want to hire some cryptographers 🙂</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4809477#notice-9426925">In conversation</a><time datetime="2025-03-29T23:35:38+09:00" title="Saturday, 29-Mar-2025 23:35:38 JST">about 2 months ago</time> <span>from <span><a href="https://gnusocial.jp/notice/9426925" rel="external" title="Sent from gnusocial.jp via ActivityPub">gnusocial.jp</a></span></span><a href="https://gnusocial.jp/notice/9426925">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Sophie Schmieg (sophieschmieg@infosec.exchange)'s status on Saturday, 29-Mar-2025 23:35:38 JSTSophie Schmieg
in reply to
- Adrian Sanabria
- Kevin Beaumont
@sawaba @GossiTheDog for small to medium sized businesses that are not doing anything more adventurous than TLS when it comes to cryptography, my advice would be, if there is some free engineering capacity, to turn on 0x11EC (X25519-ML-KEM768) in their TLS config, assuming their stack supports the cipher. (The various different stacks are adding support for that currently)
That way, you can check if anything breaks, with both Chrome and Firefox negotiating that cipher by default, and Safari rolling out support for it. The main risk is with middleware breaking.
In that threat model, it may not be the most urgent task, but it's relatively simple, depending on the used TLS stack. You can also turn on the equivalent KEX in SSH (supported in OpenSSH). Otherwise, in that threat model, I wouldn't do much at all (and even these two things are mostly optional, unless there are very strict long term confidentiality concerns).
Of course, if your threat model is more adventurous, you might want to hire some cryptographers 🙂
In conversationabout 2 months ago from gnusocial.jppermalink

Public

Embed Notice

HTML Code

Corresponding Notice