[tor-bugs] #25354 [Webpages/Website]: torproject.org using insecure ciphers/protocols (SSLv3, 3DES and RC4)

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Feb 25 23:44:48 UTC 2018 

#25354: torproject.org using insecure ciphers/protocols (SSLv3, 3DES and RC4)
----------------------------------+--------------------
     Reporter:  pege              |      Owner:  (none)
         Type:  defect            |     Status:  new
     Priority:  Very High         |  Milestone:
    Component:  Webpages/Website  |    Version:
     Severity:  Major             |   Keywords:
Actual Points:                    |  Parent ID:
       Points:                    |   Reviewer:
      Sponsor:                    |
----------------------------------+--------------------
 I just tried to update Tor Browser in Whonix on Qubes OS and got this
 error: "curl_status_message: [35] - [SSL connect error. The SSL
 handshaking failed.]".

 I looked at it a bit closer and it looks like https://www.torproject.org
 is currently using insecure ciphers.


 {{{
 openssl s_client -connect www.torproject.org:443
 …
 Server public key is 4096 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
     Protocol  : TLSv1
     Cipher    : RC4-MD5
     Session-ID:
 DD04CBDA08AEFB17B0DCF3696B4D09DE761F150E4886E33AB5334B4F1EBD7575
     Session-ID-ctx:
     Master-Key:
 99B55DE1DB5319DC11D12C19C4DD1B3A1534331E4FB4E7C14A3C93628E068D970A0F493ED0EB878FA4E183F8F6656A4E
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1519601291
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
 }}}

 Firefox Nightly tells me the cipher in use is:
 {{{
 TLS_RSA_WITH_3DES_EDE_CBC_SHA
 }}}

 And https://www.ssllabs.com/ssltest/analyze.html?d=www.torproject.org
 tells me:

 protocols:

 {{{
 Protocols
 TLS 1.3         No
 TLS 1.2         No
 TLS 1.1         No
 TLS 1.0         Yes
 SSL 3   INSECURE        Yes
 }}}

 ciphers:

 {{{
 TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE       128
 TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE       128
 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK      112
 TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK      256
 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK      128
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25354>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list