[tor-talk] time to disable 3DES?

Lee ler762 at gmail.com
Mon Oct 7 21:55:57 UTC 2013

On 10/7/13, grarpamp <grarpamp at gmail.com> wrote:
> On Mon, Oct 7, 2013 at 3:58 PM, Lee <ler762 at gmail.com> wrote:
>> Isn't it time to quit using DES?
>> Finally gave TBB a try (version 2.3.25-13), seems to me that the
>> firefox component needs a lot of hardening.
>> https://www.mikestoolbox.org/
> This may be a function of the crypto library on your box (if dynamic),
> rather than the supplied firefox itself (which it would be if static).
> I don't have TBB handy.

Sure seems to be a function of firefox.   Enter about:config in the
url bar, enter security.ssl in the search bar, double-click lines
containing 'des' to change the pref to false, revisit

> printf 'GET / HTTP/1.0\n\n' \
>  | openssl_101e s_client -connect www.mikestoolbox.org:https -ign_eof
>  DHE-RSA-AES256-SHA256
> 0.9.8x: DHE-RSA-AES256-SHA
> And that particular toolbox doesn't seem to support certain suites, ie:
> ECDHE-RSA-AES256-GCM-SHA384: handshake failure

The point was showing the ciphers supported by the browser.  For this
case, I don't care what ciphers the server supports.

>> Client Cipher Suites:
> 3DES is probably not least of note as all posted were SHA1 or lesser.

Which means?

I know approximately zip about crypto, but AES was selected as the
replacement for DES back in 2000 & it seems like DES has always lived
under the cloud of "did NSA deliberately weaken it?"   So why keep it
around?  It's not like there are no alternatives..


More information about the tor-talk mailing list