[ bringing this back on-list ] Am 13.02.2015 um 19:51 schrieb Daniel Kahn Gillmor: > On Fri 2015-02-13 12:14:19 -0500, Jonas Witmer wrote: >>> I noticed that https://fetch.spec.whatwg.org only supports RC4 as its >>> cipher. >>> >>> We have flags for things like uses cacert. Should we have a flag for >>> rc4-required? >> Great idea. I disabled RC4 and some 128bit ciphers in Firefox and run in >> this issue many times (exact on this site). >> But I propose to implement a general 'weak-encryption' flag, that also >> includes requirement of SSL 3 too. In future we could also add this flag >> on hosts with no FS, TLS 1.0, 3DES etc. > weak-encryption (actually, weak-encryption-required, right?) is nice > because of the simpler semantics. But the configuration choices in > browsers are more subtle than that. for example, i can turn off RC4 > while still allowing SSLv3, and vice versa. wouldn't it be better to > have the flag indicate what the issue is, so that https-e can test the > specific parameter setting and discard the rule based on the config? > > --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
