[tbb-bugs] #18274 [Tor Browser]: 3DES_EDE_CBC cipher is vulnerable in the current TBB configuration!
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Feb 7 21:09:38 UTC 2016
#18274: 3DES_EDE_CBC cipher is vulnerable in the current TBB configuration!
------------------------------------------------+--------------------------
Reporter: bugzilla | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-security, TorBrowserTeam201602 | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------------------------------+--------------------------
Comment (by cypherpunks):
> Why is this security hole still present?
Any PoC it was used for False Start protocol?
{{{
Clients MUST NOT use the False Start protocol modification in a
handshake unless the cipher suite uses a key exchange method that has
been whitelisted for this use.
}}}
{{{
Implementations may have their own whitelists of key exchange methods
and client certificate types
}}}
[https://mxr.mozilla.org/mozilla-
esr38/source/security/manager/ssl/src/nsNSSCallbacks.cpp#979
CanFalseStartCallback]
{{{
ECDHE is allowed, but DHE (and RSA) are not.
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18274#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list