On Tue, Mar 4, 2014 at 7:05 AM, Nick Mathewson <[email protected]> wrote: > On Mon, Mar 3, 2014 at 10:37 PM, Watson Ladd <[email protected]> wrote: > >> How about 6: Tor server to server connections should use >> ECDHE+ChaCha20 or GCM_AES ciphersuites only? >> This closes the UKS hole that enabled this attack to happen, and >> probably is a good idea anyway. > > > To make sure I understand, it's the ECDHE that's the defense here: > unlike DHE, ECDHE implementations don't let the attacker pick an > arbitrary set of parameters which might not define a real group, and > so if ECDHE is used, the attacker can't force two connections to share > the same keys.
That's exactly correct. > > I guess this is another "defense in depth" item: as of Tor 0.2.4.x*, > the preferred ciphersuites are all ECDHE ones. But that isn't quite > good enough, since non-ECDHE ciphersuites are still supported, so an > attacker can simply pretend not to support them when talking to the > client and the server. > > It would be helpful to know what fraction of 0.2.4.x servers support > ECDHE ciphersuites today. That would let us figure out what obstacles > there might be to dropping non-ECDHE ciphersuites in the future. > > > * Assuming you're built with a good enough version of OpenSSL that > doesn't have ECC turned off. > > best wishes, > -- > Nick > _______________________________________________ > tor-dev mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
