On Mon, 2014-05-05 at 16:46 +0200, Aaron Zauner wrote: > > Eric H. Christensen wrote: > > On Mon, May 05, 2014 at 11:50:48AM +0200, Nikos Mavrogiannopoulos wrote: > >> On Fri, 2014-04-25 at 10:34 -0400, Hubert Kario wrote: > >>> SSL/TLS survey of 305280 websites from Alexa's top 0.97 million > >>> Stats only from connections that did provide valid certificates > >>> (or anonymous DH from servers that do also have valid certificate installed) > >>> RC4 Only 5418 1.7748 > >> That's pretty interesting. The question is now how important is that RC4 > >> only segment. Is that percentage significant enough to revise having RC4 > >> in the "default" crypto profile set? > > > > Revise how? RC4 should be dropped down to EXPORT status, IMO, but somehow lives on. > > > +1. Not quite sure why it's still in the TLS 1.3 draft. This is not about the TLS protocol in 5 years, but about the ciphers that we will make available in Fedora 21 by default this autumn. If the default settings disallow RC4 it means that the users of Fedora will not be able to connect to the 1.7748% of this list of web servers. That is, no HTTPS connection at all for 17215 servers; only plaintext. If that list contains some popular HTTPS servers, we'll have: 1. Users connecting with no security at all to these web sites. 2. Users relaxing the overall security level from DEFAULT -> LEGACY 3. Users switching to some other distribution that things just work. I don't like any of these possibilities if they apply to a major part of our users. The DEFAULT setting should apply to 99% of our users. We need to know what removing RC4 from the default list entails. Knowing which these 17215 servers are, and their ranking in that list would certainly help decide. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security