I posted this on a blog comment, but others may be interested too.
As near as I can tell, the "logjam"/"weakdh" attacks should not affect current Tor software very much, for a few reasons:
* All currently supported Tor versions, when built with OpenSSL 1.0 or later, prefer 256-bit elliptic-curve Diffie Hellman for their TLS connections, not the 1024-bit Diffie Hellman over Z_p as discussed in this paper.
* We have never enabled "Export" crypto server-side or client-side.
* All currently supported Tor versions perform their circuit handshakes using the Curve25519-based "ntor" protocol, not the old "TAP" protocol which used 1024-bit DH.
* Actually, I think even the TAP protocol might be safe, since it sends an encrypted g^x, so even if you can take the discrete log of g^y, you don't even have g^x to use it with unless you can also break RSA1024.
* The TLS encryption in Tor is, for the most part, redundant with the layer of forward secrecy in the circuit handshakes, so that if either one is secure, Tor traffic should not be decryptable.
Recommendations:
* If you've ignored all our requests to upgrade to a recent Tor version (0.2.6 stable would be best), please do so soon. Anything older than 0.2.4 is NOT supported.
* If you're running OpenSSL 0.9.8 or earlier, you should consider upgrading to 1.0.0 or later.
* Make sure to apply vendor patches for your non-Tor software as they become available.
On the browser side, while waiting for vendor updates, Mozilla released https://addons.mozilla.org/en-US/firefox/addon/disable-dhe/ which does something very similar to https://addons.mozilla.org/en-us/firefox/addon/strict-ssl3-configuration/ (shameless plug) which disables broken or weak ciphers. I'm not and advocate of adding not-already-provided extensions to the TorBrowser but YMMV, it all boils down to your threat model (see also the note on my extension page).
Cheers, Marco
-
Nick Mathewson -
sid77@slackware.it