[tor-bugs] #11513 [Tor]: Make UNRESTRICTED_SERVER_CIPHER_LIST non-stupid
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 14 16:21:38 UTC 2014
#11513: Make UNRESTRICTED_SERVER_CIPHER_LIST non-stupid
------------------------+-----------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-client 024-backport tls
Actual Points: | Parent ID:
Points: |
------------------------+-----------------------------------------
Comment (by nickm):
So, obviously:
* AES is better than 3DES.
* ECDHE is stronger / faster than DHE.
* GCM is faster than CBC-SHA, and lets us avoid all the ugly "mac-then-
encryot"-related CBC idiocy, so it may be stronger too.
* SHA384 is faster than SHA256 on 64-bit platforms. SHA1 is weaker than
the other two, though probably not yet in a way that matters for TLS.
I suggest that we prioritize those ciphersuites in that order too. So all
AES before any 3DES. Within a given cipher, all ECDHE before any DHE.
Within a cipher-group combination, GCM before CBC-SHA. And last, prefer
SHA384 over SHA256 over SHA1.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11513#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list