[tor-dev] Quick logjam/Tor analysis.

Nick Mathewson nickm at torproject.org
Tue May 26 13:25:22 UTC 2015

I posted this on a blog comment, but others may be interested too.

As near as I can tell, the "logjam"/"weakdh" attacks should not affect
current Tor software very much, for a few reasons:

  * All currently supported Tor versions, when built with OpenSSL 1.0 or
    later, prefer 256-bit elliptic-curve Diffie Hellman for their TLS
    connections, not the 1024-bit Diffie Hellman over Z_p as discussed in
    this paper.

  * We have never enabled "Export" crypto server-side or client-side.

  * All currently supported Tor versions perform their circuit handshakes
    using the Curve25519-based "ntor" protocol, not the old "TAP" protocol
    which used 1024-bit DH.

 * Actually, I think even the TAP protocol might be safe, since it
sends an encrypted g^x, so even if you can take the discrete log of
g^y, you don't even have g^x to use it with unless you can also break

  * The TLS encryption in Tor is, for the most part, redundant with the layer
    of forward secrecy in the circuit handshakes, so that if either one is
    secure, Tor traffic should not be decryptable.


  * If you've ignored all our requests to upgrade to a recent Tor version
    (0.2.6 stable would be best), please do so soon.  Anything older than
    0.2.4 is NOT supported.

  * If you're running OpenSSL 0.9.8 or earlier, you should consider upgrading
    to 1.0.0 or later.

  * Make sure to apply vendor patches for your non-Tor software as they
    become available.

More information about the tor-dev mailing list