Opened 4 years ago

Last modified 4 years ago

#17374 new defect

Disable 1024-DH Encryption by default

Reported by: cypherpunks Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: starlight@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/

Seems it very very likely the NSA has already broken both this and 512-bit encryption so it would be better to disable.

EFF.org recommends turning these 2 values in about:config to false:

security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha

Child Tickets

Change History (6)

comment:1 Changed 4 years ago by starlight

Cc: starlight@… added

comment:2 Changed 4 years ago by cypherpunks

Priority: MediumHigh

comment:3 Changed 4 years ago by yawning

TLS negotiates which ciphersuite to use based on what the client claims to support in a ClientHello, with the most preferred first. Any modern (or halfway modern) web browser including Tor Browser will express preference the ECDHE suites.

The only times DHE suites will be used is if:

  • The server does not support ECDHE.
  • The server is horrifically misconfigured and prefers DHE over ECDHE.

What is suggested will force correct behavior in the latter case, at the expense of not being able to connect at all to servers exhibiting the former behavior. This is a usability vs security tradeoff, and my concern would be that people fall back to plain http when they can't reach a site over https (No crypto vs theoretically/speculatively weak crypto).

comment:4 in reply to:  3 ; Changed 4 years ago by cypherpunks

Replying to yawning:

What is suggested will force correct behavior in the latter case, at the expense of not being able to connect at all to servers exhibiting the former behavior. This is a usability vs security tradeoff, and my concern would be that people fall back to plain http when they can't reach a site over https (No crypto vs theoretically/speculatively weak crypto).

Are there any estimates on how many servers (and which) use the weaker encryption by default? If it is only a small portion (and no major sites, only obscure rarely visited ones), I'm sure the security tradeoff is very much worth it.

comment:5 in reply to:  4 Changed 4 years ago by yawning

Replying to cypherpunks:

Are there any estimates on how many servers (and which) use the weaker encryption by default? If it is only a small portion (and no major sites, only obscure rarely visited ones), I'm sure the security tradeoff is very much worth it.

That's a good question, I'd certainly hope that most of the major sites would prefer ECDH over DHE. The change as proposed will also totally break sites that use DHE with non-standard DH parameters, which is bad. That may be rather uncommon (though it's easy-ish to do).

If it were up to me, I'd tie this to the security slider (since that's where usability/security tradeoffs live), and when set to a sufficiently high value, refuse to do DHE depending on the ServerDHParams received as part of the handshake (Eg: Reject groups that are < 1536 bits in length).

It's more involved (and may require patching NSS), but it:

  1. Gives users an option that isn't "no crypto" if their obscure site doesn't work.
  2. Will function as intended for people that refuse to use ECDH, and instead provide a large enough group.

comment:6 Changed 4 years ago by cypherpunks

Adding on to this, I think adding this in the security slider is one option. My suggestion would be for Medium-High and High.

Note: See TracTickets for help on using tickets.