Please correct me if you have stats, but I suspect it may take some time to undo the work Qualys et. al. have done to encourage everyone to force RC4 (even though they have retracted their advice since).
-------- Original message -------- From: Kurt Roeckx <k...@roeckx.be> Date: 12/14/2013 13:52 (GMT-08:00) To: mozilla's crypto code discussion list <dev-tech-crypto@lists.mozilla.org> Subject: Re: Longterm crypto support I'm not sure how widely EV is recognized. I'm pretty sure that almost nobody can tell the difference between blue and green, which now seems to be hidden until you click, or that there is that there this green name of the site in front of the URL on some https sites and not on others. I do not believe that we can educate users, and so should do what is possible to protect them by default. We currently do not support 40 bit ciphers or SSL v2 anymore, but you seem to suggest that we should. I believe there is a point in time that we should be able to say that we do not support them anymore. So maybe we should disable everything that is not considered secure by default but let the user enable some of them that we still consider reasonable (like RC4-SHA1). This could for instance be something like if you connect to the intranet it should be allowed. But I really see no excuse for that over internet. I see no point in doing weak encryption, you might as well not encrypt it. Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto