Am Montag, 3. Februar 2014 22:50:38 UTC+1 schrieb Chris Newman: > As a non-Firefox/non-HTTP consumer of NSS, I'd like to see an NSS API flag > indicating a cipher suite is retained for backwards compatibility but > considered inferior by cryptographic community standards at the time the > NSS library was built.
Yes, awesome. That's the NSS-equivalent of my proposal. Basically, there should be a definition for ciphers that says "ok" or "weak", exposed via API. > A. is unacceptable because it breaks copy/paste of URLs Copy/paste does some magic here (Firefox currently does not show "http://" but copies the complete URL string). > B. For UI, I'd suggest a ? over the padlock rather than a red bar. The > community believes RC4 may be vulnerable to high-skill attackers and is > likely to become more vulnerable to other attackers over time. That's > questionable security, not no security. It's still a lot better than > unencrypted (which is what you get if you remove RC4 prematurely). Hmm, good point. You have to think about your friend's parents, though, any not-entirely-obvious UI (even if it is actually correct) may confuse people. But let's leave that to the UI team. My sketch was for illustratory purposes only. > C. The "https" URI scheme specifies the protocol not the policy so it > technically does not imply the connection is or will be secure. But I agree > this is non-obvious to at least some users and prefer option B. Most people are trained to look for "https:" on banking sites (because they were told that's how they identify a "secure connection"), so they may not see that the security on that connection is weak. But again, UI is for UI team. ;) > Regardless, I think NSS should provide the flag, and Firefox can design the > UI. Yes, I agree. Best regards, Florian Bender -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto