[tor-talk] time to disable 3DES?
yawning at schwanenlied.me
Tue Oct 8 04:03:38 UTC 2013
* Lee <ler762 at gmail.com> [2013-10-07 21:49:29 -0400]:
> On 10/7/13, Yawning Angel <yawning at schwanenlied.me> wrote:
> > * Lee <ler762 at gmail.com> [2013-10-07 15:58:19 -0400]:
> >> Isn't it time to quit using DES?
> >> Finally gave TBB a try (version 2.3.25-13), seems to me that the
> >> firefox component needs a lot of hardening.
> > DES != 3DES, and supporting 3DES suites is standard across major browsers.
> Right. But is it still safe to use?
Why wouldn't it be? As far as I can tell you have yet to come up with any
convincing reason as to why it's broken beyond "the NSA had a hand in it's
design" and "the name has DES in it".
Note that Stephan Lucks' attack requires too many known plaintexts to be
relevant in this context and is still (probably) computationally infeasable.
> So... if you're visiting a web site that does only 3DES encryption,
> is that good enuf or do you say no thanks & go elsewhere?
*shrugs* If I noticed, it would be amusing since the webserver is buring a lot
of CPU by using 3DES, and I would question the system adminstrator's
sanity/competence, but on it's own, it's not a sufficient reason for me to
ignore the site.
This is getting offtopic so I will stop now.
: If that's sufficient reason to drop something, the only cipher suite on the
list that you would have left is TLS_RSA_WITH_RC4_128_MD5.
More information about the tor-talk