On Fri, Aug 16, 2013 at 9:25 PM, C. Scott Ananian <[email protected]>wrote:
> That said, I'm not part of the operations team either so I can't answer > definitively. I agree that it would probably be useful to have more formal > progress reporting. "Can't disable RC4 in the cipher suite until more than > N% of our readers are using <a set of known good browsers>" for example. > There has been discussion elsewhere on wmf lists about metrics reporting. > Once the blockers were quantified, it would be easier for interested > people to 'count the days' until greater security could be enforced, or to > bring pressure to bear on upstream providers (of the chrome browser, of DNS > root zones, etc) where security fixes are needed. > To be fair, I'm really only talking about non-restrictive changes. For example, right now we *only* have RC4. Rather than disable RC4 (which would have consequences), I'm saying why haven't other normal ciphers been enabled? I don't foresee us doing anything like "all HTTPS for everybody" anytime in the near future. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | [email protected] _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
