[Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox
kurt at roeckx.be
Thu Jan 2 23:46:00 CET 2014
On Thu, Jan 02, 2014 at 02:12:47PM -0800, Ryan Sleevi wrote:
> > > What's the take on the ChaCha20/Poly1305 proposal by the Mozilla Sec.
> > > Team by the way?
> > There are 5 security teams at Mozilla, so Mozilla Sec Team is a very
> > large group.
> > I think we all want a new stream cipher in TLS to replace RC4. But
> > that's going
> > to take years, and won't help the millions of people who don't replace
> > their software
> > that often.
> Really? If anything, Firefox and Chromium have shown that new changes can
> be deployed on the order of weeks-to-months, and with server opt-in (such
> as NPN/ALPN), the majority of *users* traffic can be protected or enhanced
> within a few weeks-to-months after.
> Google already has deployed experimental support, for example. Likewise,
> the adoption of SPDY - within Firefox and within a number of significant
> web properties - show that it's significantly quicker than it used to be
> to protect users.
> You're correct that there's going to be a long-tail of sites that don't
> update, sure, but rapid deployment is certainly an increasing possibility
> for the majority of users.
Updates on the client side can be done in a few months, at least
for a very large population of the clients. But things tend to
break in unexpected ways making and it ussually takes a lot of
testing time before it can really be deployed.
But I see more problems getting the server side to change. Maybe
you can convice some people to disable certain things, but I think
it's going to be hard to try to convice them that they should
upgrade to a new software version. I've tried and failed.
When firefox 27 is released all major browsers will finally
support TLS 1.1+ in their latest version. But on the server
side we now see about 20% that support it, which is an increase
of about 15% over last year. We also still see 25% that still
supports SSLv2. At this rate it's still going to take years
before you can say that the majority of the sites will support
I think we should find a way to force them to upgrade, and
trying to be as compatible as possible isn't really helping.
More information about the Ach