[Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox

Kurt Roeckx kurt at roeckx.be
Thu Jan 2 23:46:00 CET 2014

On Thu, Jan 02, 2014 at 02:12:47PM -0800, Ryan Sleevi wrote:
> > > What's the take on the ChaCha20/Poly1305 proposal by the Mozilla Sec.
> > > Team by the way?
> >
> >  There are 5 security teams at Mozilla, so Mozilla Sec Team is a very
> >  large group.
> >  I think we all want a new stream cipher in TLS to replace RC4. But
> >  that's going
> >  to take years, and won't help the millions of people who don't replace
> >  their software
> >  that often.
> Really? If anything, Firefox and Chromium have shown that new changes can
> be deployed on the order of weeks-to-months, and with server opt-in (such
> as NPN/ALPN), the majority of *users* traffic can be protected or enhanced
> within a few weeks-to-months after.
> Google already has deployed experimental support, for example. Likewise,
> the adoption of SPDY - within Firefox and within a number of significant
> web properties - show that it's significantly quicker than it used to be
> to protect users.
> You're correct that there's going to be a long-tail of sites that don't
> update, sure, but rapid deployment is certainly an increasing possibility
> for the majority of users.

Updates on the client side can be done in a few months, at least
for a very large population of the clients.  But things tend to
break in unexpected ways making and it ussually takes a lot of
testing time before it can really be deployed.

But I see more problems getting the server side to change.  Maybe
you can convice some people to disable certain things, but I think
it's going to be hard to try to convice them that they should
upgrade to a new software version.  I've tried and failed.

When firefox 27 is released all major browsers will finally
support TLS 1.1+ in their latest version.  But on the server
side we now see about 20% that support it, which is an increase
of about 15% over last year.  We also still see 25% that still
supports SSLv2.  At this rate it's still going to take years
before you can say that the majority of the sites will support

I think we should find a way to force them to upgrade, and
trying to be as compatible as possible isn't really helping.


More information about the Ach mailing list