This might be not the topic of this discussion, but I think it's related (it's a recommend cipher, too).
What's the reason why we do not support AES_128_GCM ciphers? They are more secure than AES_128_CBC, but the performance is likely the same. Also See https://bugzilla.mozilla.org/show_bug.cgi?id=975832#c1: YouTube offers only RC4 and TLS_RSA_WITH_AES_128_GCM_SHA256. So if a user want to disable RC4 in Browser to force more secure ciphers, he will fail watching YouTube videos. On Google Chrome you are able to disable RC4 and still using videos, because it supports AES with GCM. There are may be other websites with only RC4 ciphers (and of course, they should change!), but they are not as important as the compatibility to YouTube. Am 09.09.14 um 04:01 schrieb [email protected]: > On Saturday, August 16, 2014 8:45:15 AM UTC-7, [email protected] wrote: >> Hello world! >> >> >> >> We need votes for security bugs! >> >> >> >> Adding "Security Exception" for self-signed HTTPS sites cannot be done >> >> permanently >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1050100 >> >> >> >> Firefox 31 doesn't supports the industry recommended best HTTPS >> >> ciphers >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1051210 >> >> >> >> Other browsers should have the same bugs fixed.. >> >> >> >> p.s.: We are not related to this group, but we think they worth a >> >> penny or two: >> >> http://www.openbsdfoundation.org/donations.html >> >> http://www.libressl.org/ >> >> >> >> Good luck. Be safe.. > I can't remember where the hell I read the thread and google is failing me, > but the arguments against using 256 bit AES in modern browsers were basically > this: > > -256-bit AES doesn't add very much security when an attack on 128-bit is > still so far off > -256-bit AES is slower than 128-bit > -256-bit AES would be more vulnerable to a theoretical timing attack > > If anyone can remember where this was posted or if it's down right wrong, > please let me know. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
