On Mon, Mar 3, 2014 at 10:37 PM, Watson Ladd watsonbladd@gmail.com wrote:
How about 6: Tor server to server connections should use ECDHE+ChaCha20 or GCM_AES ciphersuites only? This closes the UKS hole that enabled this attack to happen, and probably is a good idea anyway.
To make sure I understand, it's the ECDHE that's the defense here: unlike DHE, ECDHE implementations don't let the attacker pick an arbitrary set of parameters which might not define a real group, and so if ECDHE is used, the attacker can't force two connections to share the same keys.
I guess this is another "defense in depth" item: as of Tor 0.2.4.x*, the preferred ciphersuites are all ECDHE ones. But that isn't quite good enough, since non-ECDHE ciphersuites are still supported, so an attacker can simply pretend not to support them when talking to the client and the server.
It would be helpful to know what fraction of 0.2.4.x servers support ECDHE ciphersuites today. That would let us figure out what obstacles there might be to dropping non-ECDHE ciphersuites in the future.
* Assuming you're built with a good enough version of OpenSSL that doesn't have ECC turned off.
best wishes,