[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #4744 [Tor Bridge]: GFW probes based on Tor's SSL cipher list
#4744: GFW probes based on Tor's SSL cipher list
--------------------------------+-------------------------------------------
Reporter: asn | Owner: nickm
Type: defect | Status: needs_revision
Priority: major | Milestone: Tor: 0.2.3.x-final
Component: Tor Bridge | Version:
Keywords: tls fingerprinting | Parent: #4185
Points: | Actualpoints:
--------------------------------+-------------------------------------------
Comment(by nickm):
Interestingly, with OpenSSL 1.0 with no options turned off, I believe the
only cipher that we need to "fake" on the list is 0xfeff,
"SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", which appears pretty low on the
list.
What if we do the following:
* Say, "If the client ciphersuite list is exactly (current contents of
ciphers.inc), then the server can only use the following N ciphers.
Otherwise, the server may assume that any cipher advertised by the client,
except 0xfeff, is present."
* Stop pretending to have ciphersuites that we don't, with the
exception of 0xfeff. This means that OpenSSL 0.9.x users and users of
OpenSSL on distributions that have disabled ECC or other ciphers will
stand out some.
* Strongly recommend use of OpenSSL 1.0.x or later, with nothing turned
off.
* Switch servers to select something good in 0.2.4, like
ECDHE_RSA_WITH_AES_256_CBC_SHA or something.
Thoughts? Otherwise, I don't know how we can tell whether we can ever
allow ECDHE ciphersuites.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4744#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs