[tor-bugs] #5598 [Tor Relay]: Turn DynamicDHGroups off by default

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu May 24 22:13:27 UTC 2012


#5598: Turn DynamicDHGroups off by default
-------------------------+--------------------------------------------------
 Reporter:  rransom      |          Owner:                    
     Type:  enhancement  |         Status:  new               
 Priority:  normal       |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor Relay    |        Version:                    
 Keywords:               |         Parent:                    
   Points:               |   Actualpoints:                    
-------------------------+--------------------------------------------------

Comment(by nickm):

 So the downside of leaving the option on here is that the delay in initial
 startup time makes controllers see various kinds of weird behavior.

 The downside of turning it off is that we use the default mod_ssl DH
 group, which:
   * was generated according to an non-reproducible process (if I recall
 correctly).  But I'm not aware of any attack where a DH group that passes
 all of the strong prime tests is nonetheless flawed, so this one doesn't
 bug me too much.
   * might get blocked someday, if a censor is willing to block every
 mod_ssl installation that negotiates DH with the default group.


 Neither side seems completely compelling; any more upsides/downsides to
 add?


 >looking like something they expect is better than looking like a
 different unexpected thing each time.

 BTW, we don't look like a different unexpected thing each time: we use the
 same DH parameters for each response, and we look like an expected thing,
 which is "a server that has generated its own DH parameters".  They're all
 over.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5598#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list