#21005: Enforce Stronger Ciphers in Tor Messenger ----------------------------------------+--------------------- Reporter: cypherpunks | Owner: Type: enhancement | Status: new Priority: Medium | Milestone: Component: Applications/Tor Messenger | Version: Severity: Normal | Resolution: Keywords: Tor Messenger | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ----------------------------------------+---------------------
Comment (by arlolra): Thanks for your pursuit. > an user should not enforce stronger ciphers by setting a higher security level Right, I reconsidered that here, https://blog.torproject.org/blog/tor-messenger- 030b1-released#comment-220691 As an experiment, I changed my settings to what you suggested above. When connecting to my accounts, I was presented with, {{{ Error: An error occurred during a connection to freenodeok2gncmy.onion:6697. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: <a id="errorCode" title="SSL_ERROR_NO_CYPHER_OVERLAP">SSL_ERROR_NO_CYPHER_OVERLAP</a> }}} That's freenode's onion (we need to consider IRC as well). Running `nmap -Pn --script ssl-enum-ciphers -p 6697 chat.freenode.net` gives me, {{{ | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A }}} The first one on the list is recommended in RFC 7525, but not supported in NSS, see ticket:18129#comment:11 > or deliberately use the ... server which would mean enabling `security.ssl3.dhe_rsa_aes_256_sha` as a distinguisher. Someone suggested this isn't an issue because, > your email/xmpp provider already "knows" you https://blog.torproject.org/blog/tor-messenger- 030b1-released#comment-221194 but that's a global setting that's going to be advertised to all connections and might not play well with temporary accounts in #16606 On another note about the `security.ssl3.*`, the rc4 suites aren't enabled despite saying `true`. See ticket:18129#comment:7 for the client hello. Anyways, I think I agree with the spirit of the ticket. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21005#comment:1> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs