On 2014-01-03 16:09, Falcon Darkstar Momot wrote:
If I may weigh in, one could certainly argue that there isn't any benefit
in allowing these people to believe that their HTTPS connections are
actually secure when they're using ciphers that we know to be broken (how
much we know them to be broken is certainly up for debate).
Even with RC4 or 3DES, that HTTPS icon still tells a user that their abusive
relative can't read their emails on the house's proxy. What we, security
professional, define as secure is widely different from what the average user
wants or needs.
People can still go to whatever site they want even if they can't use
HTTPS, as long as the site is available over HTTP.
What if the NSA could break all crypto in the world within seconds? Would we
accept to type our passwords and emails over HTTP then? I suspect not.
I wouldn't bother actually dropping support for a cipher suite until it
can be trivially broken, though, as that is the point at which it has no
value. Anything else is excessively heavyhanded.
--FalconK
- Julien
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
