[HTTPS-Everywhere] fetch.spec.whatwg.org and RC4-only tagging?
sjw at gmx.ch
sjw at gmx.ch
Fri Feb 13 11:31:40 PST 2015
[ bringing this back on-list ]
Am 13.02.2015 um 19:51 schrieb Daniel Kahn Gillmor:
> On Fri 2015-02-13 12:14:19 -0500, Jonas Witmer wrote:
>>> I noticed that https://fetch.spec.whatwg.org only supports RC4 as its
>>> cipher.
>>>
>>> We have flags for things like uses cacert. Should we have a flag for
>>> rc4-required?
>> Great idea. I disabled RC4 and some 128bit ciphers in Firefox and run in
>> this issue many times (exact on this site).
>> But I propose to implement a general 'weak-encryption' flag, that also
>> includes requirement of SSL 3 too. In future we could also add this flag
>> on hosts with no FS, TLS 1.0, 3DES etc.
> weak-encryption (actually, weak-encryption-required, right?) is nice
> because of the simpler semantics. But the configuration choices in
> browsers are more subtle than that. for example, i can turn off RC4
> while still allowing SSLv3, and vice versa. wouldn't it be better to
> have the flag indicate what the issue is, so that https-e can test the
> specific parameter setting and discard the rule based on the config?
>
> --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20150213/a936477e/attachment-0001.sig>
More information about the HTTPS-Everywhere
mailing list