severity 654764 wishlist tags 654764 +wontfix thanks 2012/1/6 Stefan Fritsch <s...@sfritsch.de>: > On Thursday 05 January 2012, Mathieu Parent wrote: >> The BEAST vulnerability [1] "can be prevented by removing all CBC >> ciphers from your list of allowed ciphers—leaving only the RC4 >> cipher". > > I don't think we want to do that. The normal RC4 algorithms (i.e. not > ECDHE-*-RC4*) don't provide perfect forward secrecy. So you would > improve the security in one regard (mitigate BEAST vulnerability even > if the client does not implement a work-around) but worsen it in > another regard. > > AFAIK, NSS, which is used by Chrome and Firefox, has had a BEAST > workaround for some time now. So, the suggested change would worsen > the security for a significant part of the user base.
OK. I didn't know that. I have marked the bug as wontfix. Feel free to close it. -- Mathieu Parent -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org