The number of sites that prefer RC4 while still supporting other ciphers are very high (18.6% in June[1], effectively 21.3% for Firefox[6]) and not changing much. The percent of servers that support only RC4 is steadily dropping (1.771% in April[3], 1.194% in May[2], 0.985% in June[1]).
Because of that, disabling RC4 should be possible for many users. The big exception for that was YouTube video servers[4] which only recently gained support for TLS_RSA_WITH_AES_128_GCM_SHA256. So let me be blunt. Why we can't have[5] a setting that will allow users of over 2% of servers increase their security[6] and make youtube usable for people that disabled RC4[7,8,9]. While we have a setting like security.ssl3.rsa_seed_sha which as far as I can see affects no servers[6]? Note that I'm not talking about changing the default configuration, I'm talking only about adding optional functionality. Full analisys is available here: http://securitypitfalls.wordpress.com/2014/06/29/is-rc4-less 1 - http://securitypitfalls.wordpress.com/2014/06/24/rc4-only 2 - http://securitypitfalls.wordpress.com/2014/06/24/may-2014 3 - http://securitypitfalls.wordpress.com/2014/05/07/cipher-scan 4 - https://www.ssllabs.com/ssltest/analyze.html?d=r4---sn-uxaxovg-5goz.googlevideo. com 5 - https://bugzilla.mozilla.org/show_bug.cgi?id=1029179 6 - http://securitypitfalls.wordpress.com/2014/06/29/is-rc4-less 7 - https://github.com/klemens/ff-youtube-all-html5/issues/24 8 - https://support.mozilla.org/en-US/questions/990082 9 - https://productforums.google.com/forum/#!searchin/youtube/rc4/youtube/ VuVshylMDO0/EMuBNFmgQLwJ -- Regards, Hubert Kario -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
