Some Opinionated TLS Recommendation

2022/02/27

The recommendation below is for personal websites only. Even so-called Performance First is not suitable for commercial websites.

Security First

  • Protocol: TLS 1.3 only
  • Ciphersuite: TLS_AES_256_GCM_SHA384 only
  • ECDH curve: X25519 only
  • No need to prefer server cipher
  • Certificate: 4096 bits RSA certificate, issued by ZeroSSL

Balanced

  • Protocol: TLS 1.2 and 1.3
  • Ciphersuite: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-CHACHA20-POLY1305 for TLS 1.2, default ciphersuites for TLS 1.3
  • ECDH curve: X25519 and P-384
  • No need to prefer server cipher
  • Certificate: 384 bits ECC certificate, issued by ZeroSSL

Performance First

  • Protocol: TLS 1.2 and 1.3
  • Ciphersuite: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-CHACHA20-POLY1305 for TLS 1.2, default ciphersuites for TLS 1.3
  • ECDH curve: X25519 and P-256
  • No need to prefer server cipher
  • Certificate: 256 bits ECC certificate, issued by ZeroSSL

Reason

Why not P-256 for all

Core issue is P-256 and P-384's strange seed, which means it is fairly possible that P-256 can be cracked by NSA. P-384 has more bits, so it would be hardly possible to be cracked even if there may be backdoors. So when security is a must, we should avoid usage of P-256 and P-384, leading to usage of RSA certificates and X25519 ECDH curve.

However, ECC certificates have special compatibility when IE on Windows is considered. So, for not that important websites, we can use P-384 as a compromise while avoid usage of P-256.

And for websites not containing important information, which means you feel free for NSA to spy on the data, you can use P-256, which provides higher performance.

Why ZeroSSL

NSA has the ability to force CAs in US to hand over their private keys (see here), so Let's Encrypt cannot be trusted. ZeroSSL is a company in Austria, which means it's not affected by US laws. In its ToS, it says:

The terms and use of ZeroSSL, product and software, are governed by Austrian law. Any litigation arising from use of ZeroSSL will be done through Austrian courts. As with all terms and conditions, use of ZeroSSL constitutes agreement to the same.