Closed
Bug 1147627
Opened 9 years ago
Closed 9 years ago
fbf8.com is RC4 only
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Cykesiopka, Assigned: fryn)
References
()
Details
https://www.ssllabs.com/ssltest/analyze.html?d=fbf8.com : > Cipher Suites (sorted by strength; the server has no preference) > TLS_RSA_WITH_RC4_128_SHA (0x5)
Reporter | ||
Comment 1•9 years ago
|
||
To the people who run fbf8.com: Firefox 39 (scheduled for release on 2015-06-30) currently only allows RC4 use for whitelisted sites (https://bugzilla.mozilla.org/show_bug.cgi?id=1124039 ). Anyone using Firefox 39 is/will be unable to access the site by default, and will instead run into a ssl_error_no_cypher_overlap error page. It would be great if the server could be configured to offer more modern cipher suites. Here are some reasons why this is important: - CVE-2013-2566 now has a CVSS v2 Base Score of 4.3 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 ) - RC4 use violates RFC7465: https://tools.ietf.org/html/rfc7465 - Recent attacks such as http://www.isg.rhul.ac.uk/tls/RC4mustdie.html show that RC4 is increasingly unsuitable for secure communications - The grey lock icon is replaced by the triangle exclamation warning icon when RC4 is used - There is no guarantee that a website will stay on the whitelist Thanks!
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → fryn
Status: NEW → ASSIGNED
Reporter | ||
Comment 2•9 years ago
|
||
In terms of only supporting RC4, it appears the site is now fixed. https://www.ssllabs.com/ssltest/analyze.html?d=fbf8.com : > Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) > TLS_RSA_WITH_RC4_128_SHA (0x5) > TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) > TLS_RSA_WITH_AES_256_CBC_SHA (0x35) > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) > TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) > TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) However, this crept in: > POODLE (TLS) Vulnerable
No longer blocks: RC4-Dependence
Summary: fbf8.com is RC4 only → fbf8.com is POODLE (TLS) vulnerable
Comment 3•9 years ago
|
||
People should stop consider RC4 as a mitigation of BEAST/POODLE. Now CVE-2013-2566 has the same CVSS v2 Base Score as BEAST/POODLE. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 4•9 years ago
|
||
Reverting this to just be about the original RC4 only issue. This server is still POODLE TLS vulnerable, but it looks like nobody is particularly keen on tracking these servers at the moment.
Blocks: RC4-Dependence
Summary: fbf8.com is POODLE (TLS) vulnerable → fbf8.com is RC4 only
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•