Another meta-bug to collect the growing pile of TE reports of poorly maintained servers that break when browsers try to do the right thing.
Hubert - would it be possible to export a list of rc4 only domains from your monthly scan?
I guess so, but where should I put it? It's a long list (over 4000 entries) and posts on my blog are long as it is...
I think a simple list of domains attached to this bug would work great.
Created attachment 8577206 [details] february 2015 rc4_servers.txt list of servers that support only RC4 ciphersuites when connection using Firefox, as seen between 19th and 27th of February 2015 using Alexa top 1 million sites.
Created attachment 8577209 [details] rc4domains_sorted.csv Thanks Hubert, that's really useful! I sorted the list by Alexa's ranking so it's easier to find the domains with large exposure. Here's the top10: -rank- + -domain- 86 clkmon.com 565 examiner.com 594 adultfriendfinder.com 641 priceline.com 817 magentocommerce.com 1021 aa.com 1386 sprint.com 1405 orbitz.com 1407 name.com 1470 fandango.com
Depends on: 1143325
Created attachment 8585213 [details] rc4_only.txt march 2014 Servers which support only RC4, as seen 16th and 27th of March 2015 using Alexa top 1 million sites.
Created attachment 8590477 [details] Fx39 TLS 1.1/1.2 sites with RC4 cipher The attached list are sites broken in Fx39. They connect on either TLS 1.1 or TLS 1.2, using the RC4 cipher. Note that there are some high-profile sites in there (starbucks.com, for example) so it would be worthwhile for an evangelist to triage this list. (A similar list of sites that only connect via TLS 1.0 is attached to bug 1124039.) These were obtained by running the Pulse top 200k site list against Fx39.0a2. Let me know if you'd like me to run Fx39 against the Google CT site list of around 3 million sites.
(In reply to Matt Wobensmith from comment #7) > The attached list are sites broken in Fx39. They connect on either TLS 1.1 > or TLS 1.2, using the RC4 cipher. Note that there are some high-profile > sites in there (starbucks.com, for example) so it would be worthwhile for an > evangelist to triage this list. Thanks Matt! FWIW, I have already contacted several of the sites in this list (mostly things I consider "high importance" such as banks, universities, government websites etc, but others as well), so if someone wants to coordinate, please feel free. > These were obtained by running the Pulse top 200k site list against > Fx39.0a2. Let me know if you'd like me to run Fx39 against the Google CT > site list of around 3 million sites. I think it might be nice to do this at least once to discover more sites that aren't popular, but are still of "high importance". But I defer to the judgement of others.
(In reply to Karl Dubost :karlcow from comment #9) > A new Webcompat issue > https://webcompat.com/issues/997 > https://www.ssllabs.com/ssltest/analyze.html?d=commerce.cashnet.com&latest I filed Bug 1164009.
All dependencies are fixed.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.