Opened 6 years ago

Closed 3 years ago

#10250 closed defect (worksforme)

Disable RC4 in TBB Firefox

Reported by: Jesse V. Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, ff45-esr-will-have
Cc: ilf@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Attacks against RC4 have recently been reported as plausible, and Microsoft, among other groups, have recommended avoiding RC4 for symmetric-key encryption. I would recommend blacklisting cipher suites that rely upon RC4 so that other stronger algorithms, such as AES, will be preferred instead, so as to avoid these attacks. For example, I have disabled 0x9c, 0x35, 0x5, 0x4, 0x2f, and 0xa in Chromium because they do not provide perfect forward secrecy, and 0xc007, 0xc011, and 0x66 because they rely on RC4 but do provide perfect forward secrecy.

Child Tickets

Change History (11)

comment:1 Changed 6 years ago by gk

Component: - Select a componentTor bundles/installation
Owner: set to erinn

comment:2 Changed 5 years ago by ilf

Cc: ilf@… added

I support this. The setting is: security.ssl3.*_rc4_* = false

comment:4 Changed 5 years ago by erinn

Keywords: needs-triage added

comment:5 Changed 5 years ago by erinn

Component: Tor bundles/installationTor Browser
Owner: changed from erinn to tbb-team

comment:6 Changed 4 years ago by InvalidType

I agree. That should be high priority& corrected quickly.

When you visit https://howsmyssl.com, you literally obtain "BAD".

That is just not acceptable for Tor Browser.

comment:7 Changed 4 years ago by cypherpunks

Severity: Normal

Both https://www.howsmyssl.com/ and https://www.ssllabs.com/ssltest/viewMyClient.html do not list RC4 as supported by the current Tor Browser. Also #17369 disabled RC4 fallback.

So this issue is now fixed?

comment:8 Changed 4 years ago by bugzilla

Keywords: tbb-security added; needs-triage removed

No! #17369 disabled unrestricted fallback only, but restricted by Mozilla's whitelist fallback still persists (~1058 sites), Mozilla cleared it in FF 44 (https://bugzilla.mozilla.org/show_bug.cgi?id=1215796).

Last edited 4 years ago by bugzilla (previous) (diff)

comment:9 Changed 4 years ago by bugzilla

Other Mozilla devs said that the whitelist had never been used. User-defined list is empty too. It's not right to depend on all that. We need to disable RC4 completely.

comment:10 Changed 4 years ago by gk

Keywords: ff45-esr-will-have added

comment:11 Changed 3 years ago by gk

Resolution: worksforme
Status: newclosed

Our nightlies already ship fixes for that and our alphas are about to do so, too. Let's close this ticket then.

Note: See TracTickets for help on using tickets.