Opened 4 years ago

Closed 4 years ago

#17369 closed defect (fixed)

The RC4 cipher flags in TBB must be set to "false" by default

Reported by: TORques Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Related to the obsolete/broken RC4 cipher, the TBB v5.0.3 about:config -> RC4 has 5 flags set to "true" by default

security.ssl3.ecdhe_ecdsa_rc4_128_sha;true
security.ssl3.ecdhe_rsa_rc4_128_sha;true
security.ssl3.rsa_rc4_128_md5;true
security.ssl3.rsa_rc4_128_sha;true
security.tls.unrestricted_rc4_fallback;true

Since the RC4 was proved insecure and obsolete, the TBB must avoid using this by default

https://community.qualys.com/blogs/securitylabs/2015/05/21/ssl-labs-117-obsolete-crypto-rc4-and-logjam

Child Tickets

Change History (10)

comment:1 Changed 4 years ago by TORques

security.tls.version.min is set to 1 by default in TBB v5.0.3 so problem solved

https://blog.torproject.org/blog/new-sslv3-attack-found-disable-sslv3-torbrowser

comment:2 Changed 4 years ago by TORques

Resolution: fixed
Status: newclosed

comment:3 Changed 4 years ago by TORques

a firefox contributor said "I think security.tls.unrestricted_rc4_fallback It should default to false"

https://support.mozilla.org/en-US/questions/1056008

so the problem still remains because in TBB v5.0.3 is default to true

comment:4 Changed 4 years ago by gk

Keywords: TorBrowserTeam201511 tbb-security added
Milestone: Tor: unspecified
Resolution: fixed
Severity: NormalMajor
Status: closedreopened
Version: Tor: unspecified

Looking at https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/ having the RC4 fallback disabled in the next alpha seems to be a good idea.

comment:5 Changed 4 years ago by gk

Status: reopenedneeds_review

bug_17339 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_17369&id=a943aa626c8e1999e46b765e08e9683fafa590ce) has a fix for review. I am testing this for a while now with no issues. Shipping this in the alpha and backporting this to the stable coming after the next one (given we don't find any problems) should be fine: Firefox 44 will be shipped then where the RC4 fallback is disabled by default, too.

comment:6 Changed 4 years ago by gk

I just realized that a fixup commit is smarter here. Please take bug_17369_v2 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_17369_v2&id=bb66880d667eba0338c31fedccb4ec38b910ad85) for review.

comment:7 Changed 4 years ago by mcs

Looks good.
r=mcs, r=brade

comment:8 Changed 4 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks, this is commit 910844e490662894031a8b73a24093ddeda9e4f0 on the alpha branch now.

comment:9 Changed 4 years ago by bugzilla

Keywords: TorBrowserTeam201602 added; TorBrowserTeam201511 removed
Parent ID: #10250
Resolution: fixed
Status: closedreopened

To avoid different unknown bugs from Mozilla (+ SLOTH) and different views of its developers on what's going on in their code (see #10250), it's better to set all prefs to false, as TS suggested.

comment:10 Changed 4 years ago by gk

Keywords: TorBrowserTeam201602 removed
Parent ID: #10250
Resolution: fixed
Status: reopenedclosed

I think this bug is resolved.

Note: See TracTickets for help on using tickets.