The TOR browser is now using search.disconnect.me as the default search engine. I noticed they were offering TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) with 1024 bits Diffie-Hellman key exchange and using common primes.
The client would have to elect to use this weak cipher or be downgraded to use it.
This is a nation state level threat allowing passive eavesdropping. Leaked agency documents point to this having been achieved.
The vulnerability and threat is explained at weakdh if your not familiar with it. I notified disconnect.me on the 4th Jan 2016. They responded immediately and fixed it on the 8th Feb 2016. Other than this little hick-up they look good to me!
Nathan
Become the one in the room everyone turns to β the expert AI canβt replace.
The StationX Masterβs Program gives you a rare ability companies will pay almost anything for β then itβs yours to point wherever you want your life to go.
A senior role at the top of your pay grade. Your own consultancy. Or a business of your own. One capability, three futures β you choose, and you can change your mind.
-
Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.
Thank You
After sharing this with my uni study group, we’re all aboard the Nathan express. Choo choo!