guys, i am not trying to be rude. i'm a sensitive. never been called rude. i am 30 % fascinated by your back and forth. and 95% clueless i didnt know that you ALL can see what i wrote,
i thought , or didnt think,:) it was like a regular chat, whomever was on at the time saw what i wrote, now i get it. Cant assume so much. like a lawyer or judge, and hopefully a reporter and a spy, they cant assume stuff. ok thanks. Greg Curcio On Wed, Oct 15, 2014 at 6:42 AM, < bm-2ctjsegdfzqngqwuqjswro6jrwlc9b3...@bitmessage.ch> wrote: > > > On Wed, 15 Oct 2014 02:53:03 +0000 > tor-talk-requ...@lists.torproject.org wrote: > > > Hi! It's a new month, so that means there's a new attack on TLS. > > > > This time, the attack is that many clients, when they find a server > > that doesn't support TLS, will downgrade to the ancient SSLv3. And > > SSLv3 is subject to a new padding oracle attack. > > > > There is a readable summary of the issue at > > https://www.imperialviolet.org/2014/10/14/poodle.html . > > > > Tor itself is not affected: all released versions for a long time have > > shipped with TLSv1 enabled, and we have never had a fallback mechanism > > to SSLv3. Furthermore, Tor does not send the same secret encrypted in > > the same way in multiple connection attempts, so even if you could > > make Tor fall back to SSLv3, a padding oracle attack probably wouldn't > > help very much. > > > > TorBrowser, on the other hand, does have the same default fallback > > mechanisms as Firefox. I expect and hope the TorBrowser team will be > > releasing a new version soon with SSLv3 enabled. But in the meantime, > > I think you can disable SSLv3 yourself by changing the value of the > > "security.tls.version.min" preference to 1. > > > > To do that: > > > > 1. enter "about:config" in the URL bar. > > > > 2. Then you click "I'll be careful, I promise". > > > > 3. Then enter "security.tls.version.min" in the preference "search" > > field underneath the URL bar. (Not the search box next to the URL > > bar.) > > > > 4. You should see an entry that says "security.tls.version.min" under > > "Preference Name". Double-click on it, then enter the value "1" and > > click okay. > > > > You should now see that the value of "security.tls.version.min" is > > set to one. > > > > > > (Note that I am not a Firefox developer or a TorBrowser developer: if > > you're cautious, you might want to wait until one of them says > > something here before you try this workaround.) > > > > > > Obviously, this isn't a convenient way to do this; if you are > > uncertain of your ability to do so, waiting for an upgrade might be a > > good move. In the meantime, if you have serious security requirements > > and you cannot disable SSLv3, it might be a good idea to avoid using > > the Internet for a week or two while this all shakes out. > > > > best wishes to other residents of interesting times, > > -- > > Nick > > > While on the topic, these links discuss this issue and provide a test > for the TLS suite: > https://blog.dbrgn.ch/2014/1/8/improving_firefox_ssl_tls_security/ > https://www.howsmyssl.com/ > > The link states that: Another issue is the support for the > SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA cipher, which may or may not be a > good idea to use: https://github.com/jmhodges/howsmyssl/pull/17. > Firefox 26 supports cipher suites that are known to be insecure. > > This setting can also be disabled in the Firefox configuration. In the > about:config screen, search for security.ssl3.rsa_fips_des_ede3_sha and > disable it. > > Should this also occur in TBB? > > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
