Use X25519Kyber768 for TLS, when available, enablement of Post-Quantum Key Agreement Security Option
Feature Request: Default Enablement of Post-Quantum Key Agreement Security Option in Tor Browser
Summary:
To enhance the security and future-proofing of Tor Browser, it is requested that the security.tls.enable_kyber configuration option be enabled by default in the Tor Browser. This option facilitates support for post-quantum hybrid key exchange using X25519Kyber768, which provides robust protection against potential quantum threats.
Description:
Post-quantum cryptography is a crucial advancement in the field of security, designed to withstand the capabilities of quantum computers. Tor Browser currently supports a hybrid post-quantum key exchange mechanism, X25519Kyber768, which is available through the security.tls.enable_kyber option. However, this feature is disabled by default and requires manual activation. Need to enable the network.http.http3.enable_kyber option for QUIC/HTTP3 too once UDP traffic over tor being prepared finally is deployed.
Benefits:
- Enhanced Security: Enabling this feature by default will improve the browser's resistance to future quantum computing threats, ensuring a higher level of security for user communications.
- Future-Proofing: As quantum computing technology advances, having this option enabled will prepare Tor Browser users for a more secure digital environment.
- Consistency: Defaulting to this secure option aligns with Mozilla's commitment to leading-edge security practices.
Current Status:
- As of Firefox Release 123.0, X25519Kyber768 is available but disabled by default.
- The feature is expected to be support by Firefox 124+ with the
security.tls.enable_kybersetting. - Support for QUIC/HTTP3 with post-quantum key exchange is anticipated to be enabled in Firefox 128+ via the
network.http.http3.enable_kyberoption.
tbb alpha android tested working TLS Key Exchange with X25519Kyber768Draft00
Additional Context:
- X25519Kyber768 Test URL https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
- Bugticket Firefox: Bugzilla Report #1871629
- IETF Draft: westerbaan-xyber768
- IETF Draft: Draft-kwiatkowski-tls-ecdhe-mlkem
- Wiki Reference: Arch Linux Firefox Post-Quantum Key Exchange
- Cloudflare Research: Post-Quantum Cryptography Research
Request:
To maximize the security benefits and simplify user experience, we propose that Tor Browser sets the security.tls.enable_kyber option to true by default. This change will ensure that all users benefit from the advanced protection offered by post-quantum cryptographic methods without requiring manual configuration.
Thank you for considering this important enhancement to Firefox’s security features.