On Tue, 2014-05-06 at 09:32 -0400, Hubert Kario wrote: > That would require the site to be available over HTTP and HTTPS. > All sites that want HTTPS redirect all request given over HTTP to HTTPS > site, so you can't manually downgrade them. > That means the only users that use the HTTPS version are probably people that > have installed HTTPS everywhere extension - not the average user. Hubert, I believe we are discussing in vain. Yes indeed the scenario you mention could happen _if_ the http site redirects to https, but this is not universal, and even if it is, the user will be unable to connect to that web site at all with Fedora. I have no particular interest in enabling RC4 if that's not needed; it is a cipher that has been shown to be broken. Our goal, however, is to define a conservative behavior that provides a good balance between security and usability. If we fail that we force the users to switch to using plaintext connections or (better) to the 'legacy' level. Switching all applications that use this policy to legacy level is worse than just allowing RC4 as it reduces the security of all sessions and not only the sessions that negotiate RC4. What we need to know to decide is information about the specific servers that only require RC4. What is their ranking on the Alexa top 0.97 million list that you mentioned. Are they on the bottom or on the top 100 of the list? Do we have that information? regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
