----- Original Message ----- > From: s...@gmx.ch > To: dev-security-policy@lists.mozilla.org > Sent: Monday, 22 September, 2014 9:28:39 PM > Subject: Re: Indicators for high-security features > > > Am 22.09.2014 um 14:56 schrieb Henri Sivonen: > > On Wed, Sep 17, 2014 at 6:20 PM, Richard Barnes <rbar...@mozilla.com> > > wrote: > >> -- Use of ciphersuites with forward secrecy > > Yes, but I think it makes sense to go further with ciphersuites. At > > minimum, RC4 should not qualify, but given how easy it is to enable > > AES-GCM if you can enable TLS 1.2 per the earlier point, why not > > require an AEAD suite (i.e. AES-GCM or an upcoming ChaCha20 suite) and > > set aside all perceived or actual CBC problems while at it? > > > I think 3DES should not qualify, too. It's just the less worse > alternative of RC4 to support IE 8.
If we accept sha-1 signed certs, then 3DES is less of a concern. If we clean up everything and require 128 bit security through and through for high-sec indication, then yes, 3DES needs to get cut. -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
