14

When nowadays I point my browser to https sites, the cipher that is on most occasions used is Camellia. My browsers (Chrome and Firefox) seem to prefer it, even when AES is available.

Is that not kind of dangerous? Camellia did not receive so much scrutiny as did e.g. AES, so we know actually less about its security. Would it not be much better if AES was the default? I know I can change the cipher on Firefox, but it is not obvious how to do the same in Chrome.

Gilles 'SO- stop being evil'
  • 19,134
  • 4
  • 50
  • 92
MKK
  • 251
  • 2
  • 5
  • 1
    Personally - I've never seen Camellia in use in the wild. Could you post some links to sites which use it? (I'm curious). RC4 or AES seem to be the most common SSL algorithms these days. There's some discussion of Camellia here. – hunter Mar 01 '13 at 16:33
  • 1
    @hunter: login.yahoo.com for one – Jumbogram Mar 02 '13 at 14:16
  • @Jumbogram - yes, Yahoo is mentioned in the link that I posted. Still, that's the only one that I'm aware of. I certainly wouldn't say that Camellia is "widely used" (despite being a strong algorithm). – hunter Mar 02 '13 at 15:57
  • 1
    This is an example: https://ebanking.easybank.at As is almost any other austrian bank. – MKK Mar 04 '13 at 14:47
  • 1
    I just found out that Camellia is a EU recomended cipher: https://www.cosic.esat.kuleuven.be/nessie/deliverables/press_release_feb27.pdf So I guess it was kind of unfair to term it 'dangerous'. Sorry. – MKK Mar 07 '13 at 15:51
  • Not sure why you guys say those website use camellia. as far as i can see it uses AES encryption algorithm. ? :S –  Sep 27 '13 at 03:42

1 Answers1

18

The reason why you see that is because Camellia is the highest-preference cipher in NSS (Chrome and Firefox). Servers that support Camellia and use the client-preferred cipher suite will use Camellia.

NSS's rationale for this ordering is:

National ciphers such as Camellia are listed before international ciphers such as AES and RC4 to allow servers that prefer Camellia to be able to negotiate Camellia without having to disable AES and RC4, which are needed for interoperability with clients that don't yet implement Camellia.

See also: Bug 430875

Paŭlo Ebermann
  • 22,656
  • 7
  • 79
  • 117
Jumbogram
  • 296
  • 3
  • 7
  • 11
    "reason for NSS's ordering" makes little sense. A server preferring unusual ciphers can simply choose a cipher that's lower on the client's list. – CodesInChaos Mar 02 '13 at 14:05
  • 12
    @CodesInChaos: Indeed, this seems like a silly reason, given the existence of SSLHonorCipherOrder and similar options for other servers. Still, +1 to Jumbogram for figuring out the reason, even if it's silly. – Ilmari Karonen Mar 02 '13 at 19:20