Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#299 closed change (fixed)

Drop support for RC4 cypher

Reported by: trev Assignee: trev
Priority: P3 Milestone:
Module: Infrastructure Keywords:
Cc: Blocked By:
Blocking: Platform:
Ready: yes Confidential: no
Tester: Verified working: no
Review URL(s):

http://codereview.adblockplus.org/6247625674194944

Description

Background

We are currently supporting RC4 cypher, we even enforce it in order to save CPU time. However, RC4 isn't considered secure any more - see https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

What to change

Remove RC4 support as suggested by SSL Labs.

Change History (5)

comment:1 Changed 5 years ago by trev

  • Owner set to trev
  • Status changed from new to assigned

comment:2 Changed 5 years ago by trev

  • Review URL(s) modified (diff)
  • Status changed from assigned to reviewing

comment:3 Changed 5 years ago by trev

  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:4 Changed 5 years ago by Gingerbread Man

SSL Labs reports RC4 is still used. Does anyone care to comment on this, and the lack of Forward Secrecy?
https://adblockplus.org/forum/viewtopic.php?f=9&t=22901

comment:5 Changed 5 years ago by trev

That's a security provider, not one of our servers. We contacted them about improving the SSL configuration a while ago, so far without any response. The long-term solution will likely be only routing through them when actually necessary.

Note: See TracTickets for help on using tickets.