[tor-bugs] #20751 [Applications/TorBirdy]: enforce stronger ciphers in torbirdy
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 24 05:36:37 UTC 2016
#20751: enforce stronger ciphers in torbirdy
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: sukhbir
Type: enhancement | Status: new
Priority: Low | Milestone:
Component: Applications/TorBirdy | Version:
Severity: Minor | Resolution:
Keywords: torbirdy, thunderbird, | Actual Points:
TorBirdy0.2.2 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by sukhbir):
* keywords: torbirdy, thunderbird => torbirdy, thunderbird, TorBirdy0.2.2
Comment:
Thanks for reporting this issue.
We have been meaning to do this and while we do have safer secure defaults
than Thunderbird (see below from components/torbirdy.js), I agree we can
do better.
{{{
// Thunderbird 23.0 uses the following preference.
// https://bugs.torproject.org/11253
"security.tls.version.min": 1,
"security.tls.version.max": 3,
}}}
and ...
{{{
// Reject all connection attempts to servers using the old SSL/TLS
protocol.
"security.ssl.require_safe_negotiation": true,
// Warn when connecting to a server that uses an old protocol version.
"security.ssl.treat_unsafe_negotiation_as_broken": true,
}}}
Part of the reason I delayed this was because we need a way for users to
be able to use less secure defaults via TorBirdy's preferences and I
haven't spend much time thinking on how to do that yet.
Let's tackle this in the 0.2.2 release.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20751#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list