[HTTPS-Everywhere] fetch.spec.whatwg.org and RC4-only tagging? [was: Re: Ruleset style guide]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Feb 13 08:15:48 PST 2015
sorry for the change of subject, triggered by your example:
On Thu 2015-02-12 19:14:23 -0500, Jacob Hoffman-Andrews wrote:
> |<ruleset name="WHATWG.org">
> <target host="whatwg.org" />
> <target host="developers.whatwg.org" />
> <target host="html-differences.whatwg.org" />
> <target host="images.whatwg.org" />
> <target host="resources.whatwg.org" />
> <target host="*.spec.whatwg.org" />
> <target host="wiki.whatwg.org" />
> <target host="www.whatwg.org" />
>
> <test url="http://html.spec.whatwg.org/" />
> <test url="http://fetch.spec.whatwg.org/" />
> <test url="http://xhr.spec.whatwg.org/" />
> <test url="http://dom.spec.whatwg.org/" />
>
> <rule from="^http:"
> to="https:" />
I noticed that https://fetch.spec.whatwg.org only supports RC4 as its
cipher.
RC4 is strongly deprecated by the TLS WG:
https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-01
(about to be adopted as an official RFC)
and is widely understood to be flawed.
People whose browsers are configured to reject RC4 are likely to get a
"no matching ciphersuite" message when connecting to these servers.
We have flags for things like uses cacert. Should we have a flag for
rc4-required?
--dkg
More information about the HTTPS-Everywhere
mailing list