[tor-dev] How bad is not having 'enable-ec_nistp_64_gcc_128' really? (OpenBSD)

Yawning Angel yawning at schwanenlied.me
Mon Jun 22 20:45:09 UTC 2015

On Mon, 22 Jun 2015 15:55:59 -0400
"l.m" <ter.one.leeboi at hush.com> wrote:
> Last I heard NIST groups are rubbish. You're better off without them
> for security. Am I wrong?

DHE is worse (logjam being a recent high profile example), and is
far slower.  It's important to remember that TLS being broken while far
from ideal is insufficient for adversaries since they will need a
Curve25519 break as well to actually get plaintext.

It is worth noting that as of 0.2.7.x, tor will *require* OpenSSL with
ECDH support, and one of P-244 or P-256.  There is an IETF draft
circulating for standardizing other curves (Ed25519, Ed448) which
hopefully will see uptake in the longer run, but ECDHE with the NIST
curves is the current "least bad" choice.


Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150622/b567dcd2/attachment.sig>

More information about the tor-dev mailing list