New SSLv3 attack found: Disable SSLv3 in TorBrowser
Hi! It's a new month, so that means there's a new attack on TLS.
This time, the attack is that many clients, when they find a server that doesn't support TLS, will downgrade to the ancient SSLv3. And SSLv3 is subject to a new padding oracle attack.
There is a readable summary of the issue at Adam Langley's blog; it links to other descriptions of the attack.
Tor itself is not affected: all released versions for a long time have shipped with TLSv1 enabled, and we have never had a fallback mechanism to SSLv3. Furthermore, Tor does not send the same secret encrypted in the same way in multiple connection attempts, so even if you could make Tor fall back to SSLv3, a padding oracle attack probably wouldn't help very much.
TorBrowser, on the other hand, is based on Firefox, and has the same protocol downgrade mechanisms as Firefox. I expect and hope the TorBrowser team will be
releasing a new version soon with SSLv3 disabled. But in the meantime, I think you can disable SSLv3 yourself by changing the value of the "security.tls.version.min" preference to "1". (The default value is "0".)
To do that:
- Enter "about:config" in the URL bar.
- Then you click "I'll be careful, I promise".
- Then enter "security.tls.version.min" in the preference "search"
field underneath the URL bar. (Not the search box next to the URL
bar.) - You should see an entry that says "security.tls.version.min" under
"Preference Name". Double-click on it, then enter the value "1" and
click okay.
You should now see that the value of "security.tls.version.min" is set to one.
(Note that I am not a Firefox developer or a TorBrowser developer: if you're cautious, you might want to wait until one of them says something here before you try this workaround. On the other hand, if you believe me, you should probably do this in your regular Firefox as well.)
Obviously, this isn't a convenient way to do this; if you are uncertain of your ability to do so, waiting for an upgrade might be a good move. In the meantime, if you have serious security requirements and you cannot disable SSLv3, it might be a good idea to avoid using the Internet for a week or two while this all shakes out.
Best wishes to other residents of these interesting times.
Comments
Please note that the comment area below has been archived.
Have done this,thanks!!
Have done this,thanks!!
https://www.imperialviolet.or
https://www.imperialviolet.org/2014/10/14/poodle.html
This way of doing it is confirmed to work.
I think 'll just wait for
I think 'll just wait for the next release
And, it's
And, it's ready:
https://blog.torproject.org/blog/tor-browser-40-released
but _remember_ disabling
but _remember_ disabling sslv3 you will be distinct from others dummies
Totally unrelated comment
Totally unrelated comment here: Of sites where you can ask general questions of actual lawyers, (JustAnswer.com, Avvo.com, and Justia.com, there may be more) only Justia.com allows account creation and posting via TorBrowser with Javascript and Flash fully disabled in about:config & about:addons. SSL implementation is inconsistent, though. Accounts.justia.com got an F from SSL Labs. Fortunately, there's no real name policy.
Official Mozilla Security
Official Mozilla Security Blog entry https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-…
The blog links to an add-on
The blog links to an add-on that can turn off SSL 3.0 for you: https://addons.mozilla.org/firefox/addon/ssl-version-control/
No, just move to Tor Browser
No, just move to Tor Browser 4.0.
Even better.
Even better. Strike-out/remove my comment #comment-76976 above?
http://www.metafilter.com/131
http://www.metafilter.com/131948/FBI-Admits-It-Controlled-Tor-Servers-B…
FBI malwares Tor servers!
The people who wrote those
The people who wrote those articles either didn't understand much about Tor, or they intentionally wrote ambiguous and confusing titles.
"FBI malwares web servers" is the correct title. Some people ran some web servers, and some FBI people broke into them.
Nothing to do with Tor servers, sorry.
NSA targets privacy people
NSA targets privacy people (all of TOR)
https://gigaom.com/2014/07/03/nsa-targeted-tor-server-administrator-in-…
NSA wants you to use Tor
http://www.counterpunch.org/2014/07/18/the-nsa-wants-you-to-trust-tor-s…
See all the discussion
See all the discussion at
https://blog.torproject.org/blog/being-targeted-nsa
I'll give it a try. Thanks.
I'll give it a try. Thanks.
did you delete the counter?
did you delete the counter?
Counter?
Counter?