Opened on 04/10/2014 at 06:30:35 PM
Closed on 04/28/2014 at 10:35:18 AM
Last modified on 06/10/2014 at 06:19:25 PM
#299 closed change (fixed)
Drop support for RC4 cypher
Reported by: | trev | Assignee: | trev |
---|---|---|---|
Priority: | P3 | Milestone: | |
Module: | Infrastructure | Keywords: | |
Cc: | Blocked By: | ||
Blocking: | Platform: | ||
Ready: | yes | Confidential: | no |
Tester: | Verified working: | no | |
Review URL(s): |
Description
Background
We are currently supporting RC4 cypher, we even enforce it in order to save CPU time. However, RC4 isn't considered secure any more - see https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
What to change
Remove RC4 support as suggested by SSL Labs.
Attachments (0)
Change History (5)
comment:1 Changed on 04/26/2014 at 10:05:49 PM by trev
- Owner set to trev
- Status changed from new to assigned
comment:2 Changed on 04/26/2014 at 10:06:04 PM by trev
- Review URL(s) modified (diff)
- Status changed from assigned to reviewing
comment:3 Changed on 04/28/2014 at 10:35:18 AM by trev
- Resolution set to fixed
- Status changed from reviewing to closed
comment:4 Changed on 06/05/2014 at 06:05:36 AM by Gingerbread Man
SSL Labs reports RC4 is still used. Does anyone care to comment on this, and the lack of Forward Secrecy?
https://adblockplus.org/forum/viewtopic.php?f=9&t=22901
comment:5 Changed on 06/10/2014 at 06:19:25 PM by trev
That's a security provider, not one of our servers. We contacted them about improving the SSL configuration a while ago, so far without any response. The long-term solution will likely be only routing through them when actually necessary.
Fixed: https://hg.adblockplus.org/infrastructure/rev/3ab5c5bef729