User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 Build ID: 20130326150557 Steps to reproduce: Looked through the firefox source code to try to find how much data is thrown out when rc4 is used for TLS/SSL Actual results: I wasn't able to find it. Expected results: It should throw away the first 256bytes(at minimum) of output from rc4 before it uses the key for encyrption/during the session negotiation with the server. If it is already throwing away at least the first 256bytes then this bug can be closed as it's just an enhancement.
We can't do this because the spec doesn't allow it. I will find out what we need to do to open up bug 850478. Also, I will write up something about our plans for dealing with RC4-related drama.
(In reply to Brian Smith (:bsmith) from comment #1) > We can't do this because the spec doesn't allow it. I will find out what we > need to do to open up bug 850478. Also, I will write up something about our > plans for dealing with RC4-related drama. I'm not allowed to view that bug, so I have no idea what that said... I imagine it's something to do with rc4. I only opened this because I remember the drama happening with it, I just figured it'd be good to put this on the road map in case it hadn't already been on there as I wasn't able to find anything about it. Also I wasn't aware that the SSL/TLS spec said you can't throw out a certain amount of data from the PRNG for rc4 before you actually use the key. Anyway thanks for saying that you guys are looking into it, I hope that whatever that bug was, it's going to help you guys get ahead of this drama since I swear, it never seems to end. First it's "don't ever use rc4 it's not strong enough, then its' use rc4 it's your only hope, now it's rc4 isn't strong enough anymore." It's like some sort of crazy circle of insanity. I'm looking forward to the writeup, and once again/finally thanks for making me aware that you guys already have a bug for it.