Re: [Tails-dev] Logjam: Tor Browser 4.5.2, and... Tails 1.4.…

This message is part of the following thread:
M\the complete thread tree sorted by date
MMMintrigeri at <-
M.M 
Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Logjam: Tor Browser 4.5.2, and... Tails 1.4.x?
Hi,

Daniel Kahn Gillmor wrote (06 Jun 2015 03:47:33 GMT) :
> As the weakdh authors say, the ability to mount weakdh-style attacks
> requires non-negligible cryptographic sophistication. It seems likely
> that parties with this kind of skill, network reach, and motivation will
> be already using these attacks.

Yep. And then, letting them use it for a couple more weeks seems not
totally crazy to me, given all the harm already done and the cost (for
us, and then for Tails users) of pushing a bonus release.

> I don't know how many attackers will come up to speed between now and
> the 30th, in terms of additional exposure, but it's not the soft of
> attack that your average script kiddie can set up on the local wifi in a
> day either (i haven't seen or heard of any weaponized versions of it).

Indeed, given the precomputation cost, it seems that very few (if any)
adversaries have the means to come up to speed in this timeframe.

Also, I assume that lots of important servers have had their DH group
updated since the announce, which decreases the benefits of publishing
a bonus Tails release. (Regarding the downgrade to export crypto side
of the attack, oh well, servers supporting that kind of crypto are
hopeless anyway.)

> I'd say fixing this would be a good thing, and doing so sooner is better
> if it doesn't come at the expense of the quality of 1.4.1.

Just in case there's been some misunderstanding: note that we will
have to put out a release at the end of the month anyway, to include
Firefox ESR security updates. So what's being discussed is whether we
want to *also* release another Tails between now and the 30th.
Our resources are finite and spread very thinly already, so modulo
"sacrifice mode" (that IMO is not sustainable at this point for many
of us), any work put into an earlier, bonus release will postpone
other tasks, and in turn make the next release slightly less awesome.

=> with this in mind, plus the answers we got regarding contributors'
availability, I'm currently leaning towards following Mozilla rather
than Tor Browser on this one.

> Thanks to all for your work on Tails,

Thanks for your very useful contributions too!

Cheers,
--
intrigeri

This message was posted to the following mailing lists:
tails-dev
Mailing List Info | Nearby Messages		<-Re: [Tails-dev] Logjam: Tor Browser 4.5.2, and... Tails 1.4.x?[Tails-dev] Build failed in Jenkins: build_Tails_ISO_feature-jessie #520->
lists.autistici.org administrated by postmasterLurker (version 2.3)