As of February 2014, almost all HTTPS connections made from Chrome browsers on Android devices to Google properties have used this new cipher suite. We plan to make it available as part of the Android platform in a future release. If you’d like to verify which cipher suite Chrome is currently using, on an Android device or on desktop, just click on the padlock in the URL bar and look at the connection tab. If Chrome is using ChaCha20-Poly1305 you will see the following information:
ChaCha20 and Poly1305 were designed by Prof. Dan Bernstein from the University of Illinois at Chicago. The simple and efficient design of these algorithms combined with the extensive vetting they received from the scientific community make us confident that these algorithms will bring the security and speed needed to secure mobile communication. Moreover, selecting algorithms that are free for everyone to use is also in line with our commitment to openness and transparency.
We would like to thank the people who made this possible: Dan Bernstein who invented and implemented both ChaCha/20 and Poly1305, Andrew Moon for his open-source implementation of Poly1305, Ted Krovetz for his open-source implementation of ChaCha20 and Peter Schwabe for his implementation work. We hope there will be even greater adoption of this cipher suite, and look forward to seeing other websites deprecate AES-SHA1 and RC4-SHA1 in favor of AES-GCM and ChaCha20-Poly1305 since they offer safer and faster alternatives. IETF draft standards for this cipher suite are available here and here.
While I am glad to hear that and I know Google has access to the brighest brains, probably even outdoing Microsoft as an employer in this respect: since the NSA revelation by a certain "Russian agent" called Snowdenow we all fret how all of your efforts might be compromised right from the start. Unexpected payloads, undetected trapdoors, man in the middle, anyone?
Follow
3 comments :
No Linux distro seems to ship an OpenSSL with those patches applied yet.
While I am glad to hear that and I know Google has access to the brighest brains, probably even outdoing Microsoft as an employer in this respect: since the NSA revelation by a certain "Russian agent" called Snowdenow we all fret how all of your efforts might be compromised right from the start. Unexpected payloads, undetected trapdoors, man in the middle, anyone?
Well, since Android’s SSH implementation doesn’t have it, it’s rather pointless…
(I use those cyphers on all my servers, and the stupid Android phones can’t handle it.)
Post a Comment