[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] time to disable 3DES?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] time to disable 3DES?
From: Yawning Angel <yawning@xxxxxxxxxxxxxxx>
Date: Tue, 8 Oct 2013 04:03:38 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 08 Oct 2013 00:11:33 -0400
In-reply-to: <CAD8GWstFDCrVxYbZtXvt8cS4397ZKARvoQi4fyxqsRaTA-+v7Q@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAD8GWssFe1e9tUuxe7Q9p+d5KNPF+eOZxO2hWU9N3=v1AVujwg@xxxxxxxxxxxxxx> <20131007223608.GA88071@xxxxxxxxxxxxxxxxxxxxxx> <CAD8GWstFDCrVxYbZtXvt8cS4397ZKARvoQi4fyxqsRaTA-+v7Q@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

* Lee <ler762@xxxxxxxxx> [2013-10-07 21:49:29 -0400]:
> On 10/7/13, Yawning Angel <yawning@xxxxxxxxxxxxxxx> wrote:
> > * Lee <ler762@xxxxxxxxx> [2013-10-07 15:58:19 -0400]:
> >> Isn't it time to quit using DES?
> >>
> >> Finally gave TBB a try (version 2.3.25-13), seems to me that the
> >> firefox component needs a lot of hardening.
> >
> > DES != 3DES, and supporting 3DES suites is standard across major browsers.
> 
> Right.  But is it still safe to use?

Why wouldn't it be?  As far as I can tell you have yet to come up with any
convincing reason as to why it's broken beyond "the NSA had a hand in it's
design[0]" and "the name has DES in it".

Note that Stephan Lucks' attack requires too many known plaintexts to be
relevant in this context and is still (probably) computationally infeasable.

> So...  if you're visiting a web site that does only 3DES encryption,
> is that good enuf or do you say no thanks & go elsewhere?

*shrugs*  If I noticed, it would be amusing since the webserver is buring a lot
of CPU by using 3DES, and I would question the system adminstrator's
sanity/competence, but on it's own, it's not a sufficient reason for me to
ignore the site.

This is getting offtopic so I will stop now.

-- 
Yawning Angel

[0]: If that's sufficient reason to drop something, the only cipher suite on the
list that you would have left is TLS_RSA_WITH_RC4_128_MD5.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] time to disable 3DES?
  - From: Lee

References:
- [tor-talk] time to disable 3DES?
  - From: Lee
- Re: [tor-talk] time to disable 3DES?
  - From: Yawning Angel
- Re: [tor-talk] time to disable 3DES?
  - From: Lee

Prev by Author: Re: [tor-talk] time to disable 3DES?
Next by Author: Re: [tor-talk] Thoughts on Tor-based social networking?
Previous by thread: Re: [tor-talk] time to disable 3DES?
Next by thread: Re: [tor-talk] time to disable 3DES?
Index(es):
- Author
- Thread