On Friday, January 3, 2014 6:24:23 PM UTC+2, Julien Vehent wrote: > According to http://www.modern.ie/ie6countdown: > > * 22.2% of China uses IE6 > > * 4.9% of users worlwide use IE6 > > I believe that our jobs, as security professionals, is to provide the best > security to everyone. Not only to the people that have a better access to > technology.
I think it would be good to separate these four questions: 1) What ciphersuite list should Firefox use for initial TLS handshake? (Hopefully no RC4 ciphersuites on this list in the future--following IE11's lead.) 2) What ciphersuite list should Firefox use for a downgrade handshake? (Probably needs to include RC4 ciphersuites for some time.) 3) What ciphersuite list should Mozilla recommend to Mozilla servers that aren't on the Firefox download path and to third-party server admins? (Hopefully this list wouldn't be influenced by IE on XP--at least not after April.) 4) What ciphersuite list should Mozilla use for those servers that IE on XP needs to handshake with in order for the user to use IE on XP to download Firefox? It seems that the OP focused on #1, you are focusing on #4 and there are others who are focusing on #3. I think https://wiki.mozilla.org/Security/Server_Side_TLS would become better if it distinguished between #3 and #4, since the doc is read by third-party admins but Mozilla is a special case, because Mozilla needs to make it possible to download Firefox using IE on XP and, therefore, needs to use a worse config than what third parties could use for their servers. BTW, is there any progress in terms of getting the vendor that needs to connect to Mozilla's servers using Java 6 to upgrade? -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto