[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #20751 [Applications/TorBirdy]: enforce stronger ciphers in torbirdy



#20751: enforce stronger ciphers in torbirdy
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  sukhbir
     Type:  enhancement                          |         Status:  new
 Priority:  Low                                  |      Milestone:
Component:  Applications/TorBirdy                |        Version:
 Severity:  Minor                                |     Resolution:
 Keywords:  torbirdy, thunderbird,               |  Actual Points:
  TorBirdy0.2.2                                  |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by sukhbir):

 * keywords:  torbirdy, thunderbird => torbirdy, thunderbird, TorBirdy0.2.2


Comment:

 Thanks for reporting this issue.

 We have been meaning to do this and while we do have safer secure defaults
 than Thunderbird (see below from components/torbirdy.js), I agree we can
 do better.

 {{{
   // Thunderbird 23.0 uses the following preference.
   // https://bugs.torproject.org/11253
   "security.tls.version.min": 1,
   "security.tls.version.max": 3,
 }}}

 and ...

 {{{
   // Reject all connection attempts to servers using the old SSL/TLS
 protocol.
   "security.ssl.require_safe_negotiation": true,
   // Warn when connecting to a server that uses an old protocol version.
   "security.ssl.treat_unsafe_negotiation_as_broken": true,
 }}}

 Part of the reason I delayed this was because we need a way for users to
 be able to use less secure defaults via TorBirdy's preferences and I
 haven't spend much time thinking on how to do that yet.

 Let's tackle this in the 0.2.2 release.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20751#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs