Hi, Daniel Kahn Gillmor wrote (06 Jun 2015 03:47:33 GMT) : > As the weakdh authors say, the ability to mount weakdh-style attacks > requires non-negligible cryptographic sophistication. It seems likely > that parties with this kind of skill, network reach, and motivation will > be already using these attacks.
Yep. And then, letting them use it for a couple more weeks seems not totally crazy to me, given all the harm already done and the cost (for us, and then for Tails users) of pushing a bonus release. > I don't know how many attackers will come up to speed between now and > the 30th, in terms of additional exposure, but it's not the soft of > attack that your average script kiddie can set up on the local wifi in a > day either (i haven't seen or heard of any weaponized versions of it). Indeed, given the precomputation cost, it seems that very few (if any) adversaries have the means to come up to speed in this timeframe. Also, I assume that lots of important servers have had their DH group updated since the announce, which decreases the benefits of publishing a bonus Tails release. (Regarding the downgrade to export crypto side of the attack, oh well, servers supporting that kind of crypto are hopeless anyway.) > I'd say fixing this would be a good thing, and doing so sooner is better > if it doesn't come at the expense of the quality of 1.4.1. Just in case there's been some misunderstanding: note that we will have to put out a release at the end of the month anyway, to include Firefox ESR security updates. So what's being discussed is whether we want to *also* release another Tails between now and the 30th. Our resources are finite and spread very thinly already, so modulo "sacrifice mode" (that IMO is not sustainable at this point for many of us), any work put into an earlier, bonus release will postpone other tasks, and in turn make the next release slightly less awesome. => with this in mind, plus the answers we got regarding contributors' availability, I'm currently leaning towards following Mozilla rather than Tor Browser on this one. > Thanks to all for your work on Tails, Thanks for your very useful contributions too! Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
