Disable 1024-DH Encryption by default

https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/

Seems it very very likely the NSA has already broken both this and 512-bit encryption so it would be better to disable.

EFF.org recommends turning these 2 values in about:config to false:

security.ssl3.dhe_rsa_aes_128_sha security.ssl3.dhe_rsa_aes_256_sha

added component::applications/tor browser owner::tbb-team priority::high severity::normal status::new type::defect labels

Trac:
Cc: N/A to starlight@binnacle.cx

Trac:
Priority: Medium to High

TLS negotiates which ciphersuite to use based on what the client claims to support in a ClientHello, with the most preferred first. Any modern (or halfway modern) web browser including Tor Browser will express preference the ECDHE suites.

The only times DHE suites will be used is if:

• The server does not support ECDHE.
• The server is horrifically misconfigured and prefers DHE over ECDHE.

What is suggested will force correct behavior in the latter case, at the expense of not being able to connect at all to servers exhibiting the former behavior. This is a usability vs security tradeoff, and my concern would be that people fall back to plain http when they can't reach a site over https (No crypto vs theoretically/speculatively weak crypto).

Replying to yawning:

What is suggested will force correct behavior in the latter case, at the expense of not being able to connect at all to servers exhibiting the former behavior. This is a usability vs security tradeoff, and my concern would be that people fall back to plain http when they can't reach a site over https (No crypto vs theoretically/speculatively weak crypto).

Are there any estimates on how many servers (and which) use the weaker encryption by default? If it is only a small portion (and no major sites, only obscure rarely visited ones), I'm sure the security tradeoff is very much worth it.

Replying to cypherpunks:

Are there any estimates on how many servers (and which) use the weaker encryption by default? If it is only a small portion (and no major sites, only obscure rarely visited ones), I'm sure the security tradeoff is very much worth it.

That's a good question, I'd certainly hope that most of the major sites would prefer ECDH over DHE. The change as proposed will also totally break sites that use DHE with non-standard DH parameters, which is bad. That may be rather uncommon (though it's easy-ish to do).

If it were up to me, I'd tie this to the security slider (since that's where usability/security tradeoffs live), and when set to a sufficiently high value, refuse to do DHE depending on the ServerDHParams received as part of the handshake (Eg: Reject groups that are < 1536 bits in length).

It's more involved (and may require patching NSS), but it:

a. Gives users an option that isn't "no crypto" if their obscure site doesn't work. b. Will function as intended for people that refuse to use ECDH, and instead provide a large enough group.

Adding on to this, I think adding this in the security slider is one option. My suggestion would be for Medium-High and High.

moved to tpo/applications/tor-browser#17374 (closed)