Insane "security"

I’m trying to use site via HTTPS, but I can’t due to the SSL_ERROR_NO_CYPHER_OVERLAP.

So here is the madness: I need to use PLAIN HTTP instead of “weak” TLS suites!


Please, fix that madness and let ME to decide, what kind of connection I need!

We disabled a number of “weaker” cyphers in TB12, about a year ago (some may have already been disabled). These cyphers combined accounted for approx 1% (from moz telemetry - 1% of total handshakes I guess, not traffic or sites). We then had to lock them, because after the TB12 release, we found numerous examples of users being told in forums/reddit/etc to change them to access the odd site.

see Consider disabling TLS ciphersuites containing SHA-1 (#40183) · Issues · The Tor Project / Applications / Tor Browser · GitLab

the top two of those were removed from use by mozilla - backport 1600437 : Disable CBC-mode ECDSA ciphers and stop advertising ECDSA+SHA1 (#41468) · Issues · The Tor Project / Applications / Tor Browser · GitLab

@PieroV might be able to add more, but introducing weakness (downgrade attacks) for the sake of the occasional odd site, compromises the security of the other 99%, so this is unlikely not going to change, especially given that this is now established and accepted (anecdotally, yours is the first complaint I’ve seen in about a year), and the number of these cyphers in the wild is dwindling over time.


So what is the last version that supports “weak” TLS suites?

We do not recommend using outdated and unsupported browser releases. IDK the last version and I’m not going to check (not even sure which cipher is involved)

I’m sure you do not recommend using outdated and unsupported browser releases, but you forgot about those users who use Tor Browser just as ordinary web browser with high privacy and security and ability to surf blocked resources. And I am one of them. And those users are definitely MORE than 1% from mozilla’s telemetry. MUCH more. Might be those users are MOST. Please, think of it!

Will use 11.5a9 version with latest Tor Expert Bundle.

This is none of my business but…

You use Tor because it is oriented toward strong anonymity and security. It says this on their site.

Now you complain that it is too secure and call it madness. You want to decide what security and anonymity to use.

Good news! You can decide what you want.

You can use the https version with Google Chrome; also Mozilla Firefox; and Microsoft Edge… and many others.

And to hide your IP there are many “free” VPNs.

www dot 4everproxy dot com
www dot proxysite dot com

I would have given a thumbs down but could not find it.

And let me say it again. THIS IS NONE OF MY BUSINESS.

Now you complain that it is too secure and call it madness.

Please, read my first post again.

I complain that it is insecure to use plain HTTP instead of “weak”, but SECURE HTTPS!

That is madness!

Read the reply again. I am giving you options to use the “weak” https protocol which Tor does not allow and an option to come out of a VPN node from various countries. I never suggested using http.