[Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox

[ianG]

Hi Julian,


On 4/01/14 00:04 AM, Julien Vehent wrote:
> On 2014-01-03 12:58, ianG wrote:

>> Right, Windows XP.  Which is end of life.
>
> Microsoft killing support for a product isn't the same thing as people
> throwing away their computers.
>
> Or, are you implying that because microsoft is ending the life of XP, we
> should feel comfortable disconnecting these people from the internet?
> I'm not sure what they did to deserve that, except spending thousands of
> dollars on a computer years ago.


It depends on your mission.  Here, we're seeking better crypto.

At Mozilla, it's clear that you're seeking access to the web for all. 
These are very different missions.  The mission drives all.

It's pretty clear that users of XP, etc, will not be using better 
crypto.  They aren't now, they won't as long as they keep using XP.

They are already outside our chosen domain, nothing we can do will bring 
them back into it.  Only they can act.


>>>> Hmmm..  Are the Chinese blocked from stronger crypto?
>>>
>>> According to http://www.modern.ie/ie6countdown:
>>>   * 22.2% of China uses IE6
>>>   * 4.9% of users worlwide use IE6
>>
>>
>> Thanks for that!  More end of life.  And DJB says it's worse, we've
>> retrograded to about 50% RC4 usage.
>>
>
> Apples and Oranges. Some websites owners prefer RC4 for various reasons,
> but it's different from what clients can actually negotiate.
> Even if all website owners update their ciphersuite tomorrow, that won't
> replace the millions of computers than are stuck on RC4 and 3DES.


Right.  It's apples and oranges and pears and grapefruits and grapes and 
carrots and turnips too.  If your mission is to keep these people on the 
web, then yes, you need to keep RC4 and 3DES alive.


> I'm not sure what, in my message, triggered such a strong reaction. As I
> said in a previous email:


Oh, my fault, definitely:  Mozilla's mission isn't necessarily workable 
or adoptable outside Mozilla, so we have to be careful to understand 
when and how it causes tensions.


> """
>      1. I think it's great to have two guides with divergent points of
> view. I'm mostly
>         interested in discussing design choices, because these
> discussions are useful.
>         I'm not interested in convincing the ACH group that one
> recommendation is better
>         than the other, since it completely depends on the context.
> """
>
> If anyone has a secret sauce to replace all of the ancient software out
> there, with newer one that support TLS1.2, OCSP Stapling and so on, I'm
> 200% up for it.


There isn't any secret sauce, algorithm agility totally failed as a 
solution.  Hard decisions have to be made.  People will suffer.

Or it gets worse.

To put a date on it, everything changed in 2011.  What worked before is 
not necessarily going to work any more.


> In the meantime, it's important that users can reach mozilla.org from
> IE6, so that they can install Firefox and enjoy stronger security.


If you mean, stronger security than say HTTP, I'm all for it.  My 
writings on Mozilla lists to this end are voluminous and drowning...

But it's a long long debate, and once we drag security into it, it gets 
messy.  Frankly, Mozilla is best off doing what it does:  getting web to 
users, and following standards.  I'm an avid user of Firefox and Tbird, 
myself, I don't want these tools to go away.

If there's a message for Mozilla here, it might be this:  those old 
algorithms may become less useful sooner than we'd like...



iang