Re: Road to RC4-free web (the case for YouTube without RC4)

2014-10-22 Thread Brian Smith
On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario wrote: > The number of sites that prefer RC4 while still supporting other ciphers > are > very high (18.6% in June[1], effectively 21.3% for Firefox[6]) and not > changing much. The percent of servers that support only RC4 is steadily > dropping (1.7

Re: Updates to the Server Side TLS guide

2014-10-22 Thread Hubert Kario
On Tuesday 21 October 2014 23:09:58 Julien Pierre wrote: > Julien, > > On 10/21/2014 18:02, Julien Vehent wrote: > > NSS is very rarely used in servers. > > Perhaps so statistically, but the products are still around. I notice > that Oracle/iPlanet/RedHat products are absent from the document. >

Re: Proposal: Disable SSLv3 in Firefox ESR 31

2014-10-22 Thread Hubert Kario
On Tuesday 21 October 2014 16:10:52 Julien Pierre wrote: > Hubert, > > On 10/21/2014 05:06, Hubert Kario wrote: > > Yes, it's external to the TLS, and yes, it's bad that browsers do use > > the manual fallback. Yes, the servers should be regularly updated and > > as such bugs that cause it fixed.

Re: Road to RC4-free web (the case for YouTube without RC4)

2014-10-22 Thread Hubert Kario
On Wednesday 22 October 2014 00:59:53 Brian Smith wrote: > On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario wrote: > > The number of sites that prefer RC4 while still supporting other ciphers > > are > > very high (18.6% in June[1], effectively 21.3% for Firefox[6]) and not > > changing much. The pe

Re: Updates to the Server Side TLS guide

2014-10-22 Thread Julien Vehent
On 2014-10-22 08:02, Hubert Kario wrote: So, any comments to the proposed changes in opening mail? Yes :) But I haven't had any spare cycles yet... It's on the todo list! - Julien -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-cryp

Re: Road to RC4-free web (the case for YouTube without RC4)

2014-10-22 Thread Kosuke Kaizuka
On Wed, 22 Oct 2014 00:59:53 -0700, Brian Smith wrote: > On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario wrote: > >> The number of sites that prefer RC4 while still supporting other ciphers >> are >> very high (18.6% in June[1], effectively 21.3% for Firefox[6]) and not >> changing much. The perce

Re: Updates to the Server Side TLS guide

2014-10-22 Thread John Dennis
On 10/21/2014 09:02 PM, Julien Vehent wrote: > NSS is very rarely used in servers. Not true. Red Hat ships many products with NSS server configurations. -- John -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal: Disable SSLv3 in Firefox ESR 31

2014-10-22 Thread Julien Pierre
Hubert, On 10/22/2014 05:27, Hubert Kario wrote: Problem is that if something doesn't work in one browser and does in another users blame the browser. Even if the browser that doesn't work does the right thing. What if all browsers started doing the right thing ? Recommending the use of ob