[tor-bugs] #25418 [Webpages]: TLS protocol and chipers used on torproject websites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Mar 4 13:24:21 UTC 2018
#25418: TLS protocol and chipers used on torproject websites
------------------------------+--------------------
Reporter: NoNameForMee | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Webpages | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+--------------------
It appears to me that the TLS configurations and ciphers used on several
Torproject websites are in desperate need of someone love and attention.
For instance the main website, https://www.torproject.org/ is only
accessible using the old TLSv1.0 not the currently recommended TLSv1.2
(nor the upcoming TLSv1.3). Further more it is not only the protocol
versions which are in need of some attention, the ciphers used include
also need some improvements. For instance RC4 is used in spite of RFC7465,
(apparently also MD5 is used).
If someone site admin where to have a look at it but needs some help along
the way the Mozilla Foundation have created a recommended list of ciphers
and protocols which can be used as a sort of "best common practise" for
HTTPS configuration. And Qaulys ssllabs provide a quick and easy tool to
test how it would be handled by various browsers and versions (along with
some extra tests).
Sources:
Qaulys SSLLabs server test:
https://www.ssllabs.com/ssltest/analyze.html?d=www.torproject.org
RFC 7465 - Prohibit RC4 Cipher Suites:
https://tools.ietf.org/html/rfc7465
Mozilla foundations recommended configurations:
https://wiki.mozilla.org/Security/Server_Side_TLS
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25418>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list