----- Original Message ----- > From: "Brian Smith" <br...@briansmith.org> > To: "mozilla's crypto code discussion list" > <dev-tech-crypto@lists.mozilla.org> > Cc: mozilla-dev-tech-cry...@lists.mozilla.org > Sent: Thursday, 10 July, 2014 9:41:43 PM > Subject: Re: Road to RC4-free web (the case for YouTube without RC4) > > On Thu, Jul 10, 2014 at 5:00 AM, Hubert Kario <hka...@redhat.com> wrote: > > ----- Original Message ----- > >> From: "Brian Smith" <br...@briansmith.org> > > <snip> > > >> However, it is likely that crypto libraries that make the two changes > >> above > >> will also have support for TLS_ECDHE_*_WITH_AES_*_GCM cipher suites too. > >> So, I hope that they also enable TLS_ECDHE_*_WITH_AES_*_GCM at the same > >> time they deploy these changes. > > <snip> > > > What basis do you have to assume that server administrators will actually > > upgrade their Apache/nginx/lighttpd/OpenSSL/etc. installations? > > In this thread you pointed out that a number of websites had updated > their servers to add TLS_RSA_WITH_AES*_GCM* and disable > TLS_RSA_WITH_*_CBC_*, so that Firefox now only negotiates RC4 with > them when it could be negotiating AES-GCM. The fact that they updated > their servers to add non-ECDHE AES-GCM support is good evidence that > these server administrators are paying attention and are likely to > update if/when their server software vendor gives it to them if it > solves a need (like improving what Firefox negotiates), right?
The non-ECDHE AES-GCM is "just" youtube (which is the thorn in my side). ECDHE with non-AES-GCM (but with SHA256) is 2% of Internet. Those connections could use AES instead of RC4 (and actually increase % of sites that negotiate PFS ssuites), with no change other than addition of single cipher suite to Firefox: ECDHE-RSA-AES128-SHA256. But I want to add those additional ciphers so that: * I can watch youtube with RC4 less Firefox * others (when using the extension/settings) have maximum interoperability after disabling RC4 > Regarding your request about how to write the addon: I don't have time > to work on that addon, but I know it is possible to write it. I appreciate the gesture, but I'm asking for pointers to documentation or other addons that do something similar so that I could write it. -- Regards, Hubert Kario -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
