sorry for the change of subject, triggered by your example: On Thu 2015-02-12 19:14:23 -0500, Jacob Hoffman-Andrews wrote: > |<ruleset name="WHATWG.org"> > <target host="whatwg.org" /> > <target host="developers.whatwg.org" /> > <target host="html-differences.whatwg.org" /> > <target host="images.whatwg.org" /> > <target host="resources.whatwg.org" /> > <target host="*.spec.whatwg.org" /> > <target host="wiki.whatwg.org" /> > <target host="www.whatwg.org" /> > > <test url="http://html.spec.whatwg.org/"; /> > <test url="http://fetch.spec.whatwg.org/"; /> > <test url="http://xhr.spec.whatwg.org/"; /> > <test url="http://dom.spec.whatwg.org/"; /> > > <rule from="^http:" > to="https:" />
I noticed that https://fetch.spec.whatwg.org only supports RC4 as its cipher. RC4 is strongly deprecated by the TLS WG: https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-01 (about to be adopted as an official RFC) and is widely understood to be flawed. People whose browsers are configured to reject RC4 are likely to get a "no matching ciphersuite" message when connecting to these servers. We have flags for things like uses cacert. Should we have a flag for rc4-required? --dkg _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
