On Sun, Jun 29, 2014 at 5:35 PM, Hubert Kario <hka...@redhat.com> wrote:
> > > As I noted in my bug comment [1], I think that the rhetoric of us not > > adding any more RSA-key-exchange-based cipher suites, even the AES-GCM > > ones, is significant. Software engineers at multiple companies referenced > > our positions on this as part of making the business case for raising the > > priority of ECDHE support in their products. > > I fail to see how changing /non default/ settings affects that. > Some Linux distros may be tempted to change their default Firefox configuration files so that a different set of cipher suites is enabled by default. I am very opposed to that, and that's one of the biggest reasons why particularly in PSM I discourage preferences. > I mean, I've been surfing with disallowed pictures for mixed content > (security.mixed_content.block_display_content). You'd be surprised at > amount > of sites that break because of that. Disabled JavaScript is similar. > Webmasters make sites and configure servers against the lowest common > denominator: it works, then the work is done. They don't check what > happens if > the user is running non standard configuration. I've never seen a website > that said to the user to modify the settings in about:config to make the > site work as intended. > If it were up to me, we wouldn't have either of the block_display_content or disable-Javascript preferences either. Also, see Gavin's email here about adding such prefs in general. He basically says, "Don't do it." Note that Gavin is the Firefox module owner: https://groups.google.com/d/msg/mozilla.dev.platform/PL1tecuO0KA/e9BbmUAcRrwJ > 20% of Internet servers negotiating suboptimal ciphers is not *really bad*? > How much do we have to reach for that to be a problem? > It would be better to have less (no) RC4 usage but I don't think it is as urgent of a problem as you seem to. Also, I feel like it is really not a great use of time to re-open the debate about adding support for about-to-be-deprecated cipher suites to Firefox. In the short term, things are going to be suboptimal but we're far from disabling RC4 by default, and the default configuration is really what we care about. I am interested in discussing what we can do to help more server side products get better cipher suites by default, and on deciding whether we add support for ChaCha20-Poly1304, but otherwise I think we should table the discussion until more server-side products and more servers have had sufficient time to react to what we've already decided. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
