Use X25519Kyber768 for TLS, when available, enablement of Post-Quantum Key Agreement Security Option

Feature Request: Default Enablement of Post-Quantum Key Agreement Security Option in Tor Browser

Summary:

To enhance the security and future-proofing of Tor Browser, it is requested that the security.tls.enable_kyber configuration option be enabled by default in the Tor Browser. This option facilitates support for post-quantum hybrid key exchange using X25519Kyber768, which provides robust protection against potential quantum threats.

Description:

Post-quantum cryptography is a crucial advancement in the field of security, designed to withstand the capabilities of quantum computers. Tor Browser currently supports a hybrid post-quantum key exchange mechanism, X25519Kyber768, which is available through the security.tls.enable_kyber option. However, this feature is disabled by default and requires manual activation. Need to enable the network.http.http3.enable_kyber option for QUIC/HTTP3 too once UDP traffic over tor being prepared finally is deployed.

Benefits:

Enhanced Security: Enabling this feature by default will improve the browser's resistance to future quantum computing threats, ensuring a higher level of security for user communications.
Future-Proofing: As quantum computing technology advances, having this option enabled will prepare Tor Browser users for a more secure digital environment.
Consistency: Defaulting to this secure option aligns with Mozilla's commitment to leading-edge security practices.

Current Status:

As of Firefox Release 123.0, X25519Kyber768 is available but disabled by default.
The feature is expected to be support by Firefox 124+ with the security.tls.enable_kyber setting.
Support for QUIC/HTTP3 with post-quantum key exchange is anticipated to be enabled in Firefox 128+ via the network.http.http3.enable_kyber option.

tbb alpha android tested working TLS Key Exchange with X25519Kyber768Draft00

Additional Context:

X25519Kyber768 Test URL https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
Bugticket Firefox: Bugzilla Report #1871629
IETF Draft: westerbaan-xyber768
IETF Draft: Draft-kwiatkowski-tls-ecdhe-mlkem
Wiki Reference: Arch Linux Firefox Post-Quantum Key Exchange
Cloudflare Research: Post-Quantum Cryptography Research

Request:

To maximize the security benefits and simplify user experience, we propose that Tor Browser sets the security.tls.enable_kyber option to true by default. This change will ensure that all users benefit from the advanced protection offered by post-quantum cryptographic methods without requiring manual configuration.

Thank you for considering this important enhancement to Firefox’s security features.

Edited Sep 12, 2024 by pseudonymisaTor

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information