GitLab

It appears to me that the TLS configurations and ciphers used on several Torproject websites are in desperate need of someone love and attention.

For instance the main website, https://www.torproject.org/ is only accessible using the old TLSv1.0 not the currently recommended TLSv1.2 (nor the upcoming TLSv1.3). Further more it is not only the protocol versions which are in need of some attention, the ciphers used include also need some improvements. For instance RC4 is used in spite of RFC7465, (apparently also MD5 is used).

If someone site admin where to have a look at it but needs some help along the way the Mozilla Foundation have created a recommended list of ciphers and protocols which can be used as a sort of "best common practise" for HTTPS configuration. And Qaulys ssllabs provide a quick and easy tool to test how it would be handled by various browsers and versions (along with some extra tests).

Sources: Qaulys SSLLabs server test: https://www.ssllabs.com/ssltest/analyze.html?d=www.torproject.org

RFC 7465 - Prohibit RC4 Cipher Suites: https://tools.ietf.org/html/rfc7465

Mozilla foundations recommended configurations: https://wiki.mozilla.org/Security/Server_Side_TLS

Trac:
Username: NoNameForMee