On Monday 02 March 2015 13:51:24 Kurt Roeckx wrote: > On 2015-03-02 13:32, Hubert Kario wrote: > > Not true. In Alexa top 1 million I found at least 439 servers which > > support > > only 3DES and have valid certificates. If Firefox removes RC4, I'm sure > > that this will make this number effectively only larger (80% of servers > > still support RC4, 15% prefer RC4 over any and all ciphers). > > Please note that since 36 (released last week) RC4 is not offered in the > initial connection anymore. See: > https://developer.mozilla.org/en-US/Firefox/Releases/36#Security > https://bugzilla.mozilla.org/show_bug.cgi?id=1088915
And those stats were from 36 only? Anyway, Firefox still accepts 2048 bit RSA keys, which have approximately the same security margin as 3DES. Dropping 3DES won't make the connections more secure while it will cause connection problems to Windows 2k3 servers. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
