severity 654764 wishlist tags 654764 +wontfix thanks 2012/1/6 Stefan Fritsch <[email protected]>: > On Thursday 05 January 2012, Mathieu Parent wrote: >> The BEAST vulnerability [1] "can be prevented by removing all CBC >> ciphers from your list of allowed ciphers—leaving only the RC4 >> cipher". > > I don't think we want to do that. The normal RC4 algorithms (i.e. not > ECDHE-*-RC4*) don't provide perfect forward secrecy. So you would > improve the security in one regard (mitigate BEAST vulnerability even > if the client does not implement a work-around) but worsen it in > another regard. > > AFAIK, NSS, which is used by Chrome and Firefox, has had a BEAST > workaround for some time now. So, the suggested change would worsen > the security for a significant part of the user base.
OK. I didn't know that. I have marked the bug as wontfix. Feel free to close it. -- Mathieu Parent -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/cafx5sbwzr0iiy9ilzs7rm5w4q-rutfhc0-_hh_8oyvpx6pt...@mail.gmail.com
