allow unrestricted RC4 fallback in beta and release

RESOLVED FIXED in Firefox 39

Status

()

defect
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: keeler, Assigned: keeler)

Tracking

unspecified
mozilla40
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox38 unaffected, firefox38.0.5 unaffected, firefox39 fixed, firefox40 fixed)

Details

Attachments

(1 attachment)

We've been seeing too much breakage by disabling RC4 fallback by default (see bug 1124039 comment 58). However, we still want to encourage site operators and developers to move to stronger ciphersuites, so for now we should allow RC4 fallback on beta and release, but continue to disable it on nightly and aurora (dev. edition).

Comment 1

4 years ago
You know I'm going to NAK this. ;-) Not least because the stats you quoted are out of date, the breakage is <1% now (see below in that bug).

It's not a "please migrate stronger ciphersuite" thing: let's be clear, RC4 is far too dangerously weak for anyone to use for any purpose.

It is however reasonable for the time being to present (red) warning interstitials rather than prevent browsing when falling back to RC4. Perhaps explore that?
Breakage percentages based on automated top sites crawling is useful data, but doesn't paint the whole picture (there are some long tails here). Using the "break the web" hammer for achieving security improvements is a very user-hostile approach, so we absolutely need to tread carefully. The dependency tree of https://bugzilla.mozilla.org/show_bug.cgi?id=1138101 (which is nearly guaranteed to just be the tip of the iceberg) is evidence enough that we're not ready to let this ride to our beta/release population yet.
Posted patch patchSplinter Review
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8598881 - Flags: review?(cykesiopka.bmo)

Comment 4

4 years ago
Comment on attachment 8598881 [details] [diff] [review]
patch

Review of attachment 8598881 [details] [diff] [review]:
-----------------------------------------------------------------

A bit sad about this approach as IMO it reduces the persuasiveness of TE arguments, but this does seem like a reasonable balance between risk and increased security at this time.
Anyways, LGTM.
Attachment #8598881 - Flags: review?(cykesiopka.bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/05398ebd8197
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
This change should be uplifted to 39 branch.
Comment on attachment 8598881 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]: disabling RC4 fallback (bug 1124039 and related)
[User impact if declined]: users won't be able to use a number of https sites
[Describe test coverage new/current, TreeHerder]: has some tests
[Risks and why]: low - this is just a pref change
[String/UUID change made/needed]: none
Attachment #8598881 - Flags: approval-mozilla-aurora?
Comment on attachment 8598881 [details] [diff] [review]
patch

Approved for uplift to aurora. From discussion on this bug and mailing lists and with keeler, sounds like we are still not ready to disable RC4.
Attachment #8598881 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Comment 15

4 years ago
I am assuming others have seen:

https://www.rc4nomore.com/
https://www.rc4nomore.com/vanhoef-usenix2015.pdf

Because of this, I think it is now time to get fallback removed on a more expedited basis.
The trade off, in my opinion, no longer favours allowing RC4 to be negotiated.
You need to log in before you can comment on or make changes to this bug.