Closed Bug 1147627 Opened 9 years ago Closed 9 years ago

fbf8.com is RC4 only

Categories

(Web Compatibility :: Site Reports, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Cykesiopka, Assigned: fryn)

References

()

Details

https://www.ssllabs.com/ssltest/analyze.html?d=fbf8.com :
> Cipher Suites (sorted by strength; the server has no preference)
> TLS_RSA_WITH_RC4_128_SHA (0x5)
To the people who run fbf8.com:

Firefox 39 (scheduled for release on 2015-06-30) currently only allows RC4 use for whitelisted sites (https://bugzilla.mozilla.org/show_bug.cgi?id=1124039 ).
Anyone using Firefox 39 is/will be unable to access the site by default, and will instead run into a ssl_error_no_cypher_overlap error page.

It would be great if the server could be configured to offer more modern cipher suites.

Here are some reasons why this is important:
 - CVE-2013-2566 now has a CVSS v2 Base Score of 4.3 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 )
 - RC4 use violates RFC7465: https://tools.ietf.org/html/rfc7465
   - Recent attacks such as http://www.isg.rhul.ac.uk/tls/RC4mustdie.html show that RC4 is increasingly unsuitable for secure communications
 - The grey lock icon is replaced by the triangle exclamation warning icon when RC4 is used
 - There is no guarantee that a website will stay on the whitelist

Thanks!
Assignee: nobody → fryn
Status: NEW → ASSIGNED
In terms of only supporting RC4, it appears the site is now fixed.
https://www.ssllabs.com/ssltest/analyze.html?d=fbf8.com :
> Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
> TLS_RSA_WITH_RC4_128_SHA (0x5)
> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
> TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
> TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
> TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

However, this crept in:
> POODLE (TLS) 	Vulnerable
No longer blocks: RC4-Dependence
Summary: fbf8.com is RC4 only → fbf8.com is POODLE (TLS) vulnerable
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reverting this to just be about the original RC4 only issue.

This server is still POODLE TLS vulnerable, but it looks like nobody is particularly keen on tracking these servers at the moment.
Summary: fbf8.com is POODLE (TLS) vulnerable → fbf8.com is RC4 only
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.