Opened 7 years ago

Last modified 9 months ago

#11154 new defect

Disable TLS 1.0 (and 1.1) by default

Reported by: ZeroCool Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff78-esr-will-have
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

running the how's my ssl check the tor browser rated bad, the reason the tor browser is using old tls settings and old security cipers,

In the next update please set the minimum tls to 2 and the maximum to 3 in about:config for security.tls.version this makes the minimum tls 1.1 and my max tls 1.2.

Also please disable use of insecure cipher suites security.ssl3.rsa_fips_des_ede3_sha in about:config

Child Tickets

Change History (6)

comment:1 Changed 7 years ago by ZeroCool

Summary: Tor Security CipherTor TLS and Security Cipher

comment:2 Changed 6 years ago by kat

Just stumbled across this issue myself, good to see it logged. The latest Firefox (29.0.1) provides an almost identical fix as listed above, with the only difference being that it leaves the minimum TLS version at 0

Is there a way that I can contribute to fixing this? Submit a diff? (How?) Log in somewhere and change a config then submit for approval? Something else?

Happy to contribute where I can.

comment:3 Changed 6 years ago by erinn

Keywords: needs-triage added

comment:4 Changed 5 years ago by cypherpunks

Component: Tor bundles/installationTor Browser
Owner: changed from erinn to tbb-team

comment:5 Changed 3 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:6 Changed 9 months ago by gk

Keywords: ff78-esr-will-have added; needs-triage removed
Summary: Tor TLS and Security CipherDisable TLS 1.0 (and 1.1) by default

We have everything this bug complains about apart from the tls min version. However, a fix for that landed recently: https://hg.mozilla.org/mozilla-central/rev/1d07ac23cc5a, so it seems Mozilla is confident this sticks and is not impacting usability too much. We could probably think about backporting that fix into our alpha series. Dunno what the real browser devs think about that, though. :)

Either way, this will be fixed in esr78.

Note: See TracTickets for help on using tickets.