On Mon, 22 Jun 2015 15:55:59 -0400 "l.m" ter.one.leeboi@hush.com wrote:
Last I heard NIST groups are rubbish. You're better off without them for security. Am I wrong?
DHE is worse (logjam being a recent high profile example), and is far slower. It's important to remember that TLS being broken while far from ideal is insufficient for adversaries since they will need a Curve25519 break as well to actually get plaintext.
It is worth noting that as of 0.2.7.x, tor will *require* OpenSSL with ECDH support, and one of P-244 or P-256. There is an IETF draft circulating for standardizing other curves (Ed25519, Ed448) which hopefully will see uptake in the longer run, but ECDHE with the NIST curves is the current "least bad" choice.
Regards,