[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] howsmyssl



guys, i am not trying to be rude. i'm a sensitive. never been called rude.
i am 30 % fascinated by your back and forth. and 95% clueless
i didnt know that you ALL can see what i wrote,

i thought , or didnt think,:) it was like a regular chat, whomever was on
at the time saw what
i wrote, now i get it. Cant assume so much. like a lawyer or judge, and
hopefully a reporter and a spy,  they cant assume stuff. ok thanks.

Greg Curcio

On Wed, Oct 15, 2014 at 6:42 AM, <
BM-2cTjsegDfZQNGQWUQjSwro6jrWLC9B3MN3@xxxxxxxxxxxxx> wrote:

>
>
> On Wed, 15 Oct 2014 02:53:03 +0000
> tor-talk-request@xxxxxxxxxxxxxxxxxxxx wrote:
>
> > Hi!  It's a new month, so that means there's a new attack on TLS.
> >
> > This time, the attack is that many clients, when they find a server
> > that doesn't support TLS, will downgrade to the ancient SSLv3.  And
> > SSLv3 is subject to a new padding oracle attack.
> >
> > There is a readable summary of the issue at
> > https://www.imperialviolet.org/2014/10/14/poodle.html .
> >
> > Tor itself is not affected: all released versions for a long time have
> > shipped with TLSv1 enabled, and we have never had a fallback mechanism
> > to SSLv3. Furthermore, Tor does not send the same secret encrypted in
> > the same way in multiple connection attempts, so even if you could
> > make Tor fall back to SSLv3, a padding oracle attack probably wouldn't
> > help very much.
> >
> > TorBrowser, on the other hand, does have the same default fallback
> > mechanisms as Firefox.  I expect and hope the TorBrowser team will be
> > releasing a new version soon with SSLv3 enabled.  But in the meantime,
> > I think you can disable SSLv3 yourself by changing the value of the
> > "security.tls.version.min" preference to 1.
> >
> > To do that:
> >
> > 1.  enter "about:config" in the URL bar.
> >
> > 2. Then you click "I'll be careful, I promise".
> >
> > 3. Then enter "security.tls.version.min" in the preference "search"
> > field underneath the URL bar.  (Not the search box next to the URL
> > bar.)
> >
> > 4. You should see an entry that says "security.tls.version.min" under
> > "Preference Name".  Double-click on it, then enter the value "1" and
> > click okay.
> >
> > You should now see that the value of "security.tls.version.min" is
> > set to one.
> >
> >
> > (Note that I am not a Firefox developer or a TorBrowser developer: if
> > you're cautious, you might want to wait until one of them says
> > something here before you try this workaround.)
> >
> >
> > Obviously, this isn't a convenient way to do this; if you are
> > uncertain of your ability to do so, waiting for an upgrade might be a
> > good move.  In the meantime, if you have serious security requirements
> > and you cannot disable SSLv3, it might be a good idea to avoid using
> > the Internet for a week or two while this all shakes out.
> >
> > best wishes to other residents of interesting times,
> > --
> > Nick
>
>
> While on the topic, these links discuss this issue and provide a test
> for the TLS suite:
> https://blog.dbrgn.ch/2014/1/8/improving_firefox_ssl_tls_security/
> https://www.howsmyssl.com/
>
> The link states that: Another issue is the support for the
> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA cipher, which may or may not be a
> good idea to use: https://github.com/jmhodges/howsmyssl/pull/17.
> Firefox 26 supports cipher suites that are known to be insecure.
>
> This setting can also be disabled in the Firefox configuration. In the
> about:config screen, search for security.ssl3.rsa_fips_des_ede3_sha and
> disable it.
>
> Should this also occur in TBB?
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk