Opened 5 months ago

Closed 5 weeks ago

Last modified 3 weeks ago

#20751 closed enhancement (fixed)

enforce stronger ciphers in torbirdy

Reported by: cypherpunks Owned by: sukhbir
Priority: Low Milestone:
Component: Applications/TorBirdy Version:
Severity: Minor Keywords: torbirdy, thunderbird, TorBirdy0.2.2
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The last RFC from 2015 regarding TLS (https://www.rfc-editor.org/rfc/rfc7525.txt) makes
recommendations regarding the use of ciphers, this ciphers are just included in TLS v. 1.2.
<i>
4.2. Recommended Cipher Suites

Given the foregoing considerations, implementation and deployment of
the following cipher suites is RECOMMENDED:

o TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
o TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
o TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

These cipher suites are supported only in TLS 1.2 because they are
authenticated encryption (AEAD) algorithms [RFC5116].</i>


Maybe it's a good idea for torbirdy to enforce stronger ciphers and tls v 1.2 (TLS v 1.1 was published in 2006 and TLS v1.2 published in 2008) and only to allow weaker ciphers if the user deliberately changes the setting (eg in "Torbirdy Preferences", checkbox "Allow weak ciphers and TLS downgrade"). Esp. because torbirdy users always face the risk of a malicious exit node, that might try a downgrade attack. And if an email provider in late 2016, still doesn't support the IETF recommendations from 2016 (RFC 7525), maybe it's just not a good idea to use them with torbirdy (by specifically enabling weaker settings, by checking a box, the user should know that it's not the best idea to use this email provider any longer)

Therefore I recommend the following tls/tls-settings for torbirdy's next release.
(I took them from this German site: https://privacy-handbuch.de/handbuch_31k.htm)

security.tls.version.min = 3 enforce tls v 1.2
security.ssl3.* false
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256 true
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 true

prevent insecure recognition
security.ssl.require_safe_negotiation true
security.ssl.treat_unsafe_negotiation_as_broken true

strict key pinning [1]
security.cert_pinning.enforcement_level 2

[1]https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

Child Tickets

Attachments (1)

mailserver.txt (2.7 KB) - added by cypherpunks 3 weeks ago.
mailserver overview

Download all attachments as: .zip

Change History (7)

comment:1 Changed 5 months ago by sukhbir

  • Keywords TorBirdy0.2.2 added

Thanks for reporting this issue.

We have been meaning to do this and while we do have safer secure defaults than Thunderbird (see below from components/torbirdy.js), I agree we can do better.

  // Thunderbird 23.0 uses the following preference.
  // https://bugs.torproject.org/11253
  "security.tls.version.min": 1,
  "security.tls.version.max": 3,

and ...

  // Reject all connection attempts to servers using the old SSL/TLS protocol.
  "security.ssl.require_safe_negotiation": true,
  // Warn when connecting to a server that uses an old protocol version.
  "security.ssl.treat_unsafe_negotiation_as_broken": true,

Part of the reason I delayed this was because we need a way for users to be able to use less secure defaults via TorBirdy's preferences and I haven't spend much time thinking on how to do that yet.

Let's tackle this in the 0.2.2 release.

comment:2 follow-up: Changed 3 months ago by Diapolo

I'd like to support the idea of better and safer defaults!

"security.tls.version.min": 1,
"security.tls.version.max": 3,

I'm able to use 3, 3 and would also be able to use 3, 4 if Thunderbird supports TLS 1.3, so it's bad that these are getting overwritten ;).

comment:3 in reply to: ↑ 2 Changed 2 months ago by sukhbir

Replying to Diapolo:

I'd like to support the idea of better and safer defaults!

"security.tls.version.min": 1,
"security.tls.version.max": 3,

I'm able to use 3, 3 and would also be able to use 3, 4 if Thunderbird supports TLS 1.3, so it's bad that these are getting overwritten ;).

I am thinking of going with:

"security.tls.version.min": 3,
"security.tls.version.max": 3,

And then have an opt-out if this breaks some mail providers, with the preferences (set via TorBirdy's preferences dialog):

"security.tls.version.min": 1,
"security.tls.version.max": 3,

comment:4 Changed 5 weeks ago by sukhbir

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in c0e12ccb9. Please let me know in case we can enforce even stronger ciphers without breaking major email providers?

Changed 3 weeks ago by cypherpunks

mailserver overview

comment:5 Changed 3 weeks ago by cypherpunks

I tried to start a list of the most common mail providers that support ECDHE-RSA-AES128-GCM-SHA256 and it turns out that most do. (Actually, I hoped to start it as a wiki pages but I couldn't figure out how) -> see attachment

Last edited 3 weeks ago by cypherpunks (previous) (diff)

comment:6 Changed 3 weeks ago by cypherpunks

Just for the sake of completness, TB 52 adds support for:

ecdhe_rsa_aes_256_gcm_sha384
ecdhe_ecdsa_aes_256_gcm_sha384
ecdhe_rsa_chacha20_poly1305_sha256
ecdhe_ecdsa_chacha20_poly1305_sha256
Note: See TracTickets for help on using tickets.