Opened 5 years ago

Closed 5 years ago

#17369 closed defect (fixed)

The RC4 cipher flags in TBB must be set to "false" by default

Reported by: TORques Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Related to the obsolete/broken RC4 cipher, the TBB v5.0.3 about:config -> RC4 has 5 flags set to "true" by default


Since the RC4 was proved insecure and obsolete, the TBB must avoid using this by default

Child Tickets

Change History (10)

comment:1 Changed 5 years ago by TORques

security.tls.version.min is set to 1 by default in TBB v5.0.3 so problem solved

comment:2 Changed 5 years ago by TORques

Resolution: fixed
Status: newclosed

comment:3 Changed 5 years ago by TORques

a firefox contributor said "I think security.tls.unrestricted_rc4_fallback It should default to false"

so the problem still remains because in TBB v5.0.3 is default to true

comment:4 Changed 5 years ago by gk

Keywords: TorBrowserTeam201511 tbb-security added
Milestone: Tor: unspecified
Resolution: fixed
Severity: NormalMajor
Status: closedreopened
Version: Tor: unspecified

Looking at having the RC4 fallback disabled in the next alpha seems to be a good idea.

comment:5 Changed 5 years ago by gk

Status: reopenedneeds_review

bug_17339 ( has a fix for review. I am testing this for a while now with no issues. Shipping this in the alpha and backporting this to the stable coming after the next one (given we don't find any problems) should be fine: Firefox 44 will be shipped then where the RC4 fallback is disabled by default, too.

comment:6 Changed 5 years ago by gk

I just realized that a fixup commit is smarter here. Please take bug_17369_v2 ( for review.

comment:7 Changed 5 years ago by mcs

Looks good.
r=mcs, r=brade

comment:8 Changed 5 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks, this is commit 910844e490662894031a8b73a24093ddeda9e4f0 on the alpha branch now.

comment:9 Changed 5 years ago by bugzilla

Keywords: TorBrowserTeam201602 added; TorBrowserTeam201511 removed
Parent ID: #10250
Resolution: fixed
Status: closedreopened

To avoid different unknown bugs from Mozilla (+ SLOTH) and different views of its developers on what's going on in their code (see #10250), it's better to set all prefs to false, as TS suggested.

comment:10 Changed 5 years ago by gk

Keywords: TorBrowserTeam201602 removed
Parent ID: #10250
Resolution: fixed
Status: reopenedclosed

I think this bug is resolved.

Note: See TracTickets for help on using tickets.