On 10/7/13, grarpamp <[email protected]> wrote: > On Mon, Oct 7, 2013 at 3:58 PM, Lee <[email protected]> wrote: >> Isn't it time to quit using DES? >> >> Finally gave TBB a try (version 2.3.25-13), seems to me that the >> firefox component needs a lot of hardening. >> >> https://www.mikestoolbox.org/ > > This may be a function of the crypto library on your box (if dynamic), > rather than the supplied firefox itself (which it would be if static). > I don't have TBB handy.
Sure seems to be a function of firefox. Enter about:config in the url bar, enter security.ssl in the search bar, double-click lines containing 'des' to change the pref to false, revisit https://www.mikestoolbox.org/ > printf 'GET / HTTP/1.0\n\n' \ > | openssl_101e s_client -connect www.mikestoolbox.org:https -ign_eof > DHE-RSA-AES256-SHA256 > > 0.9.8x: DHE-RSA-AES256-SHA > > And that particular toolbox doesn't seem to support certain suites, ie: > ECDHE-RSA-AES256-GCM-SHA384: handshake failure The point was showing the ciphers supported by the browser. For this case, I don't care what ciphers the server supports. >> Client Cipher Suites: > > 3DES is probably not least of note as all posted were SHA1 or lesser. Which means? I know approximately zip about crypto, but AES was selected as the replacement for DES back in 2000 & it seems like DES has always lived under the cloud of "did NSA deliberately weaken it?" So why keep it around? It's not like there are no alternatives.. Regards, Lee -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
