Closed
Bug 732673
Opened 13 years ago
Closed 13 years ago
security.ssl3.rsa_rc4_128_md5 is enabled by default, should be disabled
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: aerowolf, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Build ID: 20120215223356
Steps to reproduce:
I went to about:config and typed 'md5', and I noticed that rsa_rc4_128_md5 is enabled by default.
Actual results:
I saw: security.ssl3.rsa_rc4_128_md5 default true
Expected results:
I should have seen: security.ssl3.rsa_rc4_128_md5 default false
Updated•13 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•13 years ago
|
||
Not a duplicate: 732390 refers to MD5 on certificates. This one refers to MD5 HMAC in SSLv3.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Comment 3•13 years ago
|
||
if you read bug 732390 you should read comment#2 in that bug.
You can also look in the "Patch v1" provided by kaie
>-pref("security.ssl3.rsa_rc4_128_md5", true);
>+pref("security.ssl3.rsa_rc4_128_md5", false);
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → DUPLICATE
Comment 4•13 years ago
|
||
I also wrote a patch for this issue in bug 732630.
The security.ssl3.rsa_rc4_128_md5 cipher suite is still safe
because it uses MD5 only in HMAC.
At the PSM level, I recommend simply removing that cipher suite.
security.ssl3.rsa_rc4_128_sha1 can be used as a replacement
when the speed of RC4 is desired.
Comment 5•13 years ago
|
||
I'm reopening this bug - it's no longer a duplicate of 732630 - because we no longer plan to disabled that cipher suite in that bug.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---
Comment 6•13 years ago
|
||
I'm resolving this as wontfixed.
In a conf call last week we decided it's still fine to use this cipher suite.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → WONTFIX
Comment 7•13 years ago
|
||
For the record, the reason this bug was resolved without a patch because there is nothing to "fix"; there is no (known) security issue with this cipher suite as explained by Wan-Teh in comment 4, and supporting the cipher suite is required for compatibility with some number of websites.
I am changing the resolution to clarify that.
Resolution: WONTFIX → INVALID
Comment 8•13 years ago
|
||
I turned off TLS_RSA_WITH_RC4_128_MD5 in Google Chrome for a few
days. I discovered that a few websites enable TLS_RSA_WITH_RC4_128_MD5
only, and several major websites (including Facebook, Charles Schwab,
E*TRADE, and Amazon.com) prefer TLS_RSA_WITH_RC4_128_MD5. So
TLS_RSA_WITH_RC4_128_MD5 is actually a very popular cipher suite.
You need to log in
before you can comment on or make changes to this bug.
Description
•