[tor-talk] time to disable 3DES?

Lee ler762 at gmail.com
Tue Oct 8 01:49:29 UTC 2013

On 10/7/13, Yawning Angel <yawning at schwanenlied.me> wrote:
> * Lee <ler762 at gmail.com> [2013-10-07 15:58:19 -0400]:
>> Isn't it time to quit using DES?
>> Finally gave TBB a try (version 2.3.25-13), seems to me that the
>> firefox component needs a lot of hardening.
> DES != 3DES, and supporting 3DES suites is standard across major browsers.

Right.  But is it still safe to use?

> Additionally, having support for something does not mean that it will be used

but if it's turned off/disabled then I'm sure it won't be used

> (unless the webserver on the remote end is horrifically misconfigured, any
> one
> of the other CipherSuites sent in the ClientHello will be negotiated over
> the
> 3DES suites).

Who checks to see if the web server on the remote end is horrifically
Not me..

> Considering that there are far better ways of attacking a TBB user than
> attacking the bulk cryptography I'm really failing to see the issue here.

My question is if there's a good reason to keep 3DES, not is there
some better way of attacking TBB users.

So...  if you're visiting a web site that does only 3DES encryption,
is that good enuf or do you say no thanks & go elsewhere?


More information about the tor-talk mailing list