Closed Bug 1147627 Opened 5 years ago Closed 5 years ago
.com is RC4 only
https://www.ssllabs.com/ssltest/analyze.html?d=fbf8.com : > Cipher Suites (sorted by strength; the server has no preference) > TLS_RSA_WITH_RC4_128_SHA (0x5)
To the people who run fbf8.com: Firefox 39 (scheduled for release on 2015-06-30) currently only allows RC4 use for whitelisted sites (https://bugzilla.mozilla.org/show_bug.cgi?id=1124039 ). Anyone using Firefox 39 is/will be unable to access the site by default, and will instead run into a ssl_error_no_cypher_overlap error page. It would be great if the server could be configured to offer more modern cipher suites. Here are some reasons why this is important: - CVE-2013-2566 now has a CVSS v2 Base Score of 4.3 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 ) - RC4 use violates RFC7465: https://tools.ietf.org/html/rfc7465 - Recent attacks such as http://www.isg.rhul.ac.uk/tls/RC4mustdie.html show that RC4 is increasingly unsuitable for secure communications - The grey lock icon is replaced by the triangle exclamation warning icon when RC4 is used - There is no guarantee that a website will stay on the whitelist Thanks!
In terms of only supporting RC4, it appears the site is now fixed. https://www.ssllabs.com/ssltest/analyze.html?d=fbf8.com : > Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) > TLS_RSA_WITH_RC4_128_SHA (0x5) > TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) > TLS_RSA_WITH_AES_256_CBC_SHA (0x35) > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) > TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) > TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) However, this crept in: > POODLE (TLS) Vulnerable
No longer blocks: RC4-Dependence
Summary: fbf8.com is RC4 only → fbf8.com is POODLE (TLS) vulnerable
People should stop consider RC4 as a mitigation of BEAST/POODLE. Now CVE-2013-2566 has the same CVSS v2 Base Score as BEAST/POODLE. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Reverting this to just be about the original RC4 only issue. This server is still POODLE TLS vulnerable, but it looks like nobody is particularly keen on tracking these servers at the moment.
Summary: fbf8.com is POODLE (TLS) vulnerable → fbf8.com is RC4 only
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.