Delivery-Date: Wed, 15 Oct 2014 10:47:14 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 286441E0269;
	Wed, 15 Oct 2014 10:47:12 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 1D4BC310BF;
	Wed, 15 Oct 2014 14:47:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id F1ED731095
 for <tor-talk@lists.torproject.org>; Wed, 15 Oct 2014 14:47:03 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 0zL9kDqNXdax for <tor-talk@lists.torproject.org>;
 Wed, 15 Oct 2014 14:47:03 +0000 (UTC)
Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com
 [IPv6:2a00:1450:4010:c03::22b])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 6F49A3108E
 for <tor-talk@lists.torproject.org>; Wed, 15 Oct 2014 14:47:03 +0000 (UTC)
Received: by mail-la0-f43.google.com with SMTP id mc6so1202178lab.30
 for <tor-talk@lists.torproject.org>; Wed, 15 Oct 2014 07:47:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=DVjtheyrLOZVanwzcCcaN8oH8VjXggAZIdzcgppFhBQ=;
 b=Ns0DS1YKYRdOrWvEjI9ID7hcuLeSkDdOFRTvpjQQ/qFQk4qDmyT/Jc8XdhvThhv8iP
 XWVkAjR4kfPc8aJOQSog5Ek4JIpoQ1M00P4MhZXiXCUqmN3muufSVwdjlSv/Pp/R6RWb
 NNW7b6/L+6SPP7Z6VYCU7xHG/73FzcFTtrt1P9YHpW0cxBFGB4R0MXpe+t1SA+45w9Qa
 UJju5uXFM281Pu/zaQ9Fs91LsZQBQxc5qMheppQ7rZhy2DAJ/khWtKuqS3RcUAXVKyen
 ulCYoVyCZBG03029D42WBGj91yNA8ZH8K7hseqoLWgAfYONtUBNbM+Lha9UL7nOdswci
 AraA==
MIME-Version: 1.0
X-Received: by 10.112.182.1 with SMTP id ea1mr12737622lbc.16.1413384419983;
 Wed, 15 Oct 2014 07:46:59 -0700 (PDT)
Received: by 10.25.147.136 with HTTP; Wed, 15 Oct 2014 07:46:59 -0700 (PDT)
In-Reply-To: <C263F2B9-A585-4C22-A42D-D97589C940FA@mail.bitmessage.ch>
References: <mailman.6155.1413341583.22553.tor-talk@lists.torproject.org>
 <C263F2B9-A585-4C22-A42D-D97589C940FA@mail.bitmessage.ch>
Date: Wed, 15 Oct 2014 07:46:59 -0700
Message-ID: <CABqm9ZTBwzF9JVbFABDX8p+9DbQRZuUgmaiTFdm6cSKzTLfXdw@mail.gmail.com>
From: Greg Curcio <gregcurcio@gmail.com>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] howsmyssl
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

guys, i am not trying to be rude. i'm a sensitive. never been called rude.
i am 30 % fascinated by your back and forth. and 95% clueless
i didnt know that you ALL can see what i wrote,

i thought , or didnt think,:) it was like a regular chat, whomever was on
at the time saw what
i wrote, now i get it. Cant assume so much. like a lawyer or judge, and
hopefully a reporter and a spy,  they cant assume stuff. ok thanks.

Greg Curcio

On Wed, Oct 15, 2014 at 6:42 AM, <
BM-2cTjsegDfZQNGQWUQjSwro6jrWLC9B3MN3@bitmessage.ch> wrote:

>
>
> On Wed, 15 Oct 2014 02:53:03 +0000
> tor-talk-request@lists.torproject.org wrote:
>
> > Hi!  It's a new month, so that means there's a new attack on TLS.
> >
> > This time, the attack is that many clients, when they find a server
> > that doesn't support TLS, will downgrade to the ancient SSLv3.  And
> > SSLv3 is subject to a new padding oracle attack.
> >
> > There is a readable summary of the issue at
> > https://www.imperialviolet.org/2014/10/14/poodle.html .
> >
> > Tor itself is not affected: all released versions for a long time have
> > shipped with TLSv1 enabled, and we have never had a fallback mechanism
> > to SSLv3. Furthermore, Tor does not send the same secret encrypted in
> > the same way in multiple connection attempts, so even if you could
> > make Tor fall back to SSLv3, a padding oracle attack probably wouldn't
> > help very much.
> >
> > TorBrowser, on the other hand, does have the same default fallback
> > mechanisms as Firefox.  I expect and hope the TorBrowser team will be
> > releasing a new version soon with SSLv3 enabled.  But in the meantime,
> > I think you can disable SSLv3 yourself by changing the value of the
> > "security.tls.version.min" preference to 1.
> >
> > To do that:
> >
> > 1.  enter "about:config" in the URL bar.
> >
> > 2. Then you click "I'll be careful, I promise".
> >
> > 3. Then enter "security.tls.version.min" in the preference "search"
> > field underneath the URL bar.  (Not the search box next to the URL
> > bar.)
> >
> > 4. You should see an entry that says "security.tls.version.min" under
> > "Preference Name".  Double-click on it, then enter the value "1" and
> > click okay.
> >
> > You should now see that the value of "security.tls.version.min" is
> > set to one.
> >
> >
> > (Note that I am not a Firefox developer or a TorBrowser developer: if
> > you're cautious, you might want to wait until one of them says
> > something here before you try this workaround.)
> >
> >
> > Obviously, this isn't a convenient way to do this; if you are
> > uncertain of your ability to do so, waiting for an upgrade might be a
> > good move.  In the meantime, if you have serious security requirements
> > and you cannot disable SSLv3, it might be a good idea to avoid using
> > the Internet for a week or two while this all shakes out.
> >
> > best wishes to other residents of interesting times,
> > --
> > Nick
>
>
> While on the topic, these links discuss this issue and provide a test
> for the TLS suite:
> https://blog.dbrgn.ch/2014/1/8/improving_firefox_ssl_tls_security/
> https://www.howsmyssl.com/
>
> The link states that: Another issue is the support for the
> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA cipher, which may or may not be a
> good idea to use: https://github.com/jmhodges/howsmyssl/pull/17.
> Firefox 26 supports cipher suites that are known to be insecure.
>
> This setting can also be disabled in the Firefox configuration. In the
> about:config screen, search for security.ssl3.rsa_fips_des_ede3_sha and
> disable it.
>
> Should this also occur in TBB?
>
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

