Bug 1138101 (RC4-Dependence)

[META] Sites that still haven't upgraded to something better than RC4

RESOLVED FIXED

Status

defect
RESOLVED FIXED
5 years ago
5 months ago

People

(Reporter: davemgarrett, Unassigned)

Tracking

({site-compat})

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(4 attachments)

Another meta-bug to collect the growing pile of TE reports of poorly maintained servers that break when browsers try to do the right thing.
See Also: → TLS-Intolerance
Alias: BAD-CIPHERS → RC4-Dependence
Depends on: 1138142
Depends on: 1129887
Depends on: 1138211
Depends on: 1138231
Depends on: 1112110
Depends on: 1138451
Depends on: 1138588
Depends on: 1138613
Depends on: 1138673
Depends on: 1139046
Depends on: 1139705
Depends on: 1139706
Depends on: 1139782
Depends on: 1139783
Depends on: 1139784
Depends on: 1139819
Depends on: 1117157
Depends on: 1140876
Depends on: 1140919
Depends on: 1141521
Depends on: 1141604
Depends on: 1141742
Depends on: 1141746
Depends on: 1141933
Depends on: 1141989
Depends on: 1142187
Depends on: 1132399
Depends on: 1141580
Depends on: 1142703
Hubert - would it be possible to export a list of rc4 only domains from your monthly scan?
Flags: needinfo?(hkario)
Depends on: 1132440
I guess so, but where should I put it? It's a long list (over 4000 entries) and posts on my blog are long as it is...
Flags: needinfo?(hkario)
I think a simple list of domains attached to this bug would work great.
list of servers that support only RC4 ciphersuites when connection using Firefox, as seen between 19th and 27th of February 2015 using Alexa top 1 million sites.
Thanks Hubert, that's really useful!
I sorted the list by Alexa's ranking so it's easier to find the domains with large exposure. Here's the top10:

-rank- + -domain-
86       clkmon.com
565      examiner.com
594      adultfriendfinder.com
641      priceline.com
817      magentocommerce.com
1021     aa.com
1386     sprint.com
1405     orbitz.com
1407     name.com
1470     fandango.com
Depends on: 1143072
Depends on: 1143254
Depends on: 1143035
Depends on: 1143375
Depends on: 1144639
Depends on: 1144646
Depends on: 1144726
Depends on: 1144769
Depends on: 1145242
Depends on: 1145183
Depends on: 1146120
Depends on: 1146090
Depends on: 1146281
Depends on: 1146319
Depends on: 1146755
Depends on: 1137981
Depends on: 1127204
Depends on: 1147578
Depends on: 1147627
Depends on: 1147649
Depends on: 1147717
No longer depends on: 1147627
Depends on: 1148465
Servers which support only RC4, as seen 16th and 27th of March 2015 using Alexa top 1 million sites.
Depends on: 1111354
Depends on: 1150816
Depends on: 1152347
Depends on: 1152827
The attached list are sites broken in Fx39. They connect on either TLS 1.1 or TLS 1.2, using the RC4 cipher. Note that there are some high-profile sites in there (starbucks.com, for example) so it would be worthwhile for an evangelist to triage this list.

(A similar list of sites that only connect via TLS 1.0 is attached to bug 1124039.)

These were obtained by running the Pulse top 200k site list against Fx39.0a2. Let me know if you'd like me to run Fx39 against the Google CT site list of around 3 million sites.
(In reply to Matt Wobensmith from comment #7)
> The attached list are sites broken in Fx39. They connect on either TLS 1.1
> or TLS 1.2, using the RC4 cipher. Note that there are some high-profile
> sites in there (starbucks.com, for example) so it would be worthwhile for an
> evangelist to triage this list.

Thanks Matt! FWIW, I have already contacted several of the sites in this list (mostly things I consider "high importance" such as banks, universities, government websites etc, but others as well), so if someone wants to coordinate, please feel free.

> These were obtained by running the Pulse top 200k site list against
> Fx39.0a2. Let me know if you'd like me to run Fx39 against the Google CT
> site list of around 3 million sites.

I think it might be nice to do this at least once to discover more sites that aren't popular, but are still of "high importance". But I defer to the judgement of others.
Depends on: 1152990
No longer depends on: 1152990
Depends on: 1153168
Depends on: 1153180
Depends on: 1153951
Depends on: 1154285
Depends on: 1147627
Depends on: 1155567
Depends on: 1152465
Depends on: 1156004
Depends on: 1157139
Depends on: 1158465
No longer depends on: 1158465
Depends on: 1158755
Depends on: 1160817
Depends on: 1160122
Depends on: 1163716
Depends on: 1163720
Depends on: 1163791
Depends on: 1164009
Depends on: 1165579
Depends on: 1165580
Depends on: 1165582
Depends on: 1166644
Depends on: 1167190
Depends on: 1167893
Depends on: 1167894
Depends on: 1172793
Depends on: 1173661
Depends on: 1173592
Depends on: 1174974
Depends on: 1174957
Depends on: 1176640
Depends on: 1182932
Depends on: 1182997
Depends on: 1187242
Depends on: 1190706
Depends on: 1192651
Depends on: 1193948
Depends on: 1156441
No longer depends on: 1200505
No longer depends on: 1152827
Depends on: 1204415
No longer depends on: 1116782
Depends on: 1205686
Depends on: 1208739
Depends on: 1211210
Depends on: 1229677
Depends on: 1231382
Depends on: 1232053
Depends on: 1236031
Depends on: 1244660
Depends on: 1244935
All dependencies are fixed.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.