[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] time to disable 3DES?



On 10/7/13, grarpamp <grarpamp@xxxxxxxxx> wrote:
> On Mon, Oct 7, 2013 at 3:58 PM, Lee <ler762@xxxxxxxxx> wrote:
>> Isn't it time to quit using DES?
>>
>> Finally gave TBB a try (version 2.3.25-13), seems to me that the
>> firefox component needs a lot of hardening.
>>
>> https://www.mikestoolbox.org/
>
> This may be a function of the crypto library on your box (if dynamic),
> rather than the supplied firefox itself (which it would be if static).
> I don't have TBB handy.

Sure seems to be a function of firefox.   Enter about:config in the
url bar, enter security.ssl in the search bar, double-click lines
containing 'des' to change the pref to false, revisit
https://www.mikestoolbox.org/


> printf 'GET / HTTP/1.0\n\n' \
>  | openssl_101e s_client -connect www.mikestoolbox.org:https -ign_eof
>  DHE-RSA-AES256-SHA256
>
> 0.9.8x: DHE-RSA-AES256-SHA
>
> And that particular toolbox doesn't seem to support certain suites, ie:
> ECDHE-RSA-AES256-GCM-SHA384: handshake failure

The point was showing the ciphers supported by the browser.  For this
case, I don't care what ciphers the server supports.

>> Client Cipher Suites:
>
> 3DES is probably not least of note as all posted were SHA1 or lesser.

Which means?

I know approximately zip about crypto, but AES was selected as the
replacement for DES back in 2000 & it seems like DES has always lived
under the cloud of "did NSA deliberately weaken it?"   So why keep it
around?  It's not like there are no alternatives..

Regards,
Lee
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk