Bug 1138101 (RC4-Dependence)

[META] Sites that still haven't upgraded to something better than RC4

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: davemgarrett, Unassigned)

Tracking

({site-compat})

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(4 attachments)

(Reporter)

Description

4 years ago
Another meta-bug to collect the growing pile of TE reports of poorly maintained servers that break when browsers try to do the right thing.
(Reporter)

Updated

4 years ago
See Also: → bug 1126620
(Reporter)

Updated

4 years ago
Alias: BAD-CIPHERS → RC4-Dependence
Depends on: 1138142
Depends on: 1129887
(Reporter)

Updated

4 years ago
Depends on: 1138211

Updated

4 years ago
Depends on: 1138231
Depends on: 1112110

Updated

4 years ago
Depends on: 1138451

Updated

4 years ago
Depends on: 1138588
Depends on: 1138613
Depends on: 1138673

Updated

4 years ago
Depends on: 1139046

Updated

4 years ago
Depends on: 1139705

Updated

4 years ago
Depends on: 1139706

Updated

4 years ago
Depends on: 1139782

Updated

4 years ago
Depends on: 1139783

Updated

4 years ago
Depends on: 1139784

Updated

4 years ago
Depends on: 1139819

Updated

4 years ago
Depends on: 1117157

Updated

4 years ago
Depends on: 1140876
Depends on: 1140919
Depends on: 1141521
Depends on: 1141604

Updated

4 years ago
Depends on: 1141742

Updated

4 years ago
Depends on: 1141746
Depends on: 1141933

Updated

4 years ago
Depends on: 1141989
Depends on: 1142187

Updated

4 years ago
Depends on: 1132399

Updated

4 years ago
Depends on: 1141580
Depends on: 1142703
Hubert - would it be possible to export a list of rc4 only domains from your monthly scan?
Flags: needinfo?(hkario)
Depends on: 1132440

Comment 2

4 years ago
I guess so, but where should I put it? It's a long list (over 4000 entries) and posts on my blog are long as it is...
Flags: needinfo?(hkario)
I think a simple list of domains attached to this bug would work great.

Comment 4

4 years ago
Created attachment 8577206 [details]
february 2015 rc4_servers.txt

list of servers that support only RC4 ciphersuites when connection using Firefox, as seen between 19th and 27th of February 2015 using Alexa top 1 million sites.
Created attachment 8577209 [details]
rc4domains_sorted.csv

Thanks Hubert, that's really useful!
I sorted the list by Alexa's ranking so it's easier to find the domains with large exposure. Here's the top10:

-rank- + -domain-
86       clkmon.com
565      examiner.com
594      adultfriendfinder.com
641      priceline.com
817      magentocommerce.com
1021     aa.com
1386     sprint.com
1405     orbitz.com
1407     name.com
1470     fandango.com
Depends on: 1143072
Depends on: 1143254

Updated

4 years ago
Depends on: 1143035
(Reporter)

Updated

4 years ago
Depends on: 1143375
Depends on: 1144058
Depends on: 1144639
Depends on: 1144646
Depends on: 1144726

Updated

4 years ago
Depends on: 1144769

Updated

4 years ago
Depends on: 1145242

Updated

4 years ago
Depends on: 1145183
Depends on: 1146120

Updated

4 years ago
Depends on: 1146090

Updated

4 years ago
Depends on: 1146281

Updated

4 years ago
Depends on: 1146319

Updated

4 years ago
Depends on: 1146755

Updated

4 years ago
Depends on: 1137981

Updated

4 years ago
Depends on: 1127204

Updated

4 years ago
Depends on: 1147578

Updated

4 years ago
Depends on: 1147627

Updated

4 years ago
Depends on: 1147649
Depends on: 1147717

Updated

4 years ago
No longer depends on: 1147627
Depends on: 1148744

Updated

4 years ago
Depends on: 1148465

Comment 6

4 years ago
Created attachment 8585213 [details]
rc4_only.txt march 2014

Servers which support only RC4, as seen 16th and 27th of March 2015 using Alexa top 1 million sites.

Updated

4 years ago
Depends on: 1111354

Updated

4 years ago
Depends on: 1150816

Updated

4 years ago
Depends on: 1152347
Depends on: 1152827
Created attachment 8590477 [details]
Fx39 TLS 1.1/1.2 sites with RC4 cipher

The attached list are sites broken in Fx39. They connect on either TLS 1.1 or TLS 1.2, using the RC4 cipher. Note that there are some high-profile sites in there (starbucks.com, for example) so it would be worthwhile for an evangelist to triage this list.

(A similar list of sites that only connect via TLS 1.0 is attached to bug 1124039.)

These were obtained by running the Pulse top 200k site list against Fx39.0a2. Let me know if you'd like me to run Fx39 against the Google CT site list of around 3 million sites.

Comment 8

4 years ago
(In reply to Matt Wobensmith from comment #7)
> The attached list are sites broken in Fx39. They connect on either TLS 1.1
> or TLS 1.2, using the RC4 cipher. Note that there are some high-profile
> sites in there (starbucks.com, for example) so it would be worthwhile for an
> evangelist to triage this list.

Thanks Matt! FWIW, I have already contacted several of the sites in this list (mostly things I consider "high importance" such as banks, universities, government websites etc, but others as well), so if someone wants to coordinate, please feel free.

> These were obtained by running the Pulse top 200k site list against
> Fx39.0a2. Let me know if you'd like me to run Fx39 against the Google CT
> site list of around 3 million sites.

I think it might be nice to do this at least once to discover more sites that aren't popular, but are still of "high importance". But I defer to the judgement of others.
Depends on: 1152990

Updated

4 years ago
No longer depends on: 1152990

Updated

4 years ago
Depends on: 1153168

Updated

4 years ago
Depends on: 1153180
(Reporter)

Updated

4 years ago
Depends on: 1153951

Updated

4 years ago
Depends on: 1154285

Updated

4 years ago
Depends on: 1147627

Updated

4 years ago
Depends on: 1155567

Updated

4 years ago
Depends on: 1152465
Depends on: 1156004
Depends on: 1157139

Updated

4 years ago
Depends on: 1158465

Updated

4 years ago
No longer depends on: 1158465
Depends on: 1158584

Updated

4 years ago
Depends on: 1158755
Depends on: 1160817

Updated

4 years ago
Depends on: 1160122
Depends on: 1163716
Depends on: 1163720
Depends on: 1163791

Updated

4 years ago
Depends on: 1164009

Updated

4 years ago
Depends on: 1165579

Updated

4 years ago
Depends on: 1165580

Updated

4 years ago
Depends on: 1165582

Updated

4 years ago
Depends on: 1166644
(Reporter)

Updated

4 years ago
Depends on: 1167190

Updated

4 years ago
Depends on: 1167893

Updated

4 years ago
Depends on: 1167894
Depends on: 1172793

Updated

4 years ago
Depends on: 1173661

Updated

4 years ago
Depends on: 1173592
(Reporter)

Updated

4 years ago
Depends on: 1174974

Updated

4 years ago
Depends on: 1174957
Depends on: 1176640
Depends on: 1182932

Updated

4 years ago
Depends on: 1182997

Updated

3 years ago
Depends on: 1187242

Updated

3 years ago
Depends on: 1190706

Updated

3 years ago
Depends on: 1192651
Depends on: 1193948

Updated

3 years ago
Depends on: 1156441
Depends on: 1200505
No longer depends on: 1200505

Updated

3 years ago
No longer depends on: 1152827
Depends on: 1202517

Updated

3 years ago
Depends on: 1204415
Depends on: 1116782
No longer depends on: 1116782
Depends on: 1205686
Depends on: 1208739
Depends on: 1211210

Updated

3 years ago
Depends on: 1229677

Updated

3 years ago
Depends on: 1231382

Updated

3 years ago
Depends on: 1232053
Depends on: 1236031
Depends on: 1244660
Depends on: 1244935
All dependencies are fixed.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.