[tor-talk] time to disable 3DES?
Lee
ler762 at gmail.com
Tue Oct 8 01:49:29 UTC 2013
On 10/7/13, Yawning Angel <yawning at schwanenlied.me> wrote:
> * Lee <ler762 at gmail.com> [2013-10-07 15:58:19 -0400]:
>> Isn't it time to quit using DES?
>>
>> Finally gave TBB a try (version 2.3.25-13), seems to me that the
>> firefox component needs a lot of hardening.
>
> DES != 3DES, and supporting 3DES suites is standard across major browsers.
Right. But is it still safe to use?
> Additionally, having support for something does not mean that it will be used
but if it's turned off/disabled then I'm sure it won't be used
> (unless the webserver on the remote end is horrifically misconfigured, any
> one
> of the other CipherSuites sent in the ClientHello will be negotiated over
> the
> 3DES suites).
Who checks to see if the web server on the remote end is horrifically
misconfigured?
Not me..
> Considering that there are far better ways of attacking a TBB user than
> attacking the bulk cryptography I'm really failing to see the issue here.
My question is if there's a good reason to keep 3DES, not is there
some better way of attacking TBB users.
So... if you're visiting a web site that does only 3DES encryption,
is that good enuf or do you say no thanks & go elsewhere?
Regards,
Lee
More information about the tor-talk
mailing list