Closed Bug 732673 Opened 13 years ago Closed 13 years ago

security.ssl3.rsa_rc4_128_md5 is enabled by default, should be disabled

Categories

(Firefox :: Untriaged, defect)

10 Branch
x86_64
Windows 7
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: aerowolf, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Build ID: 20120215223356 Steps to reproduce: I went to about:config and typed 'md5', and I noticed that rsa_rc4_128_md5 is enabled by default. Actual results: I saw: security.ssl3.rsa_rc4_128_md5 default true Expected results: I should have seen: security.ssl3.rsa_rc4_128_md5 default false
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Not a duplicate: 732390 refers to MD5 on certificates. This one refers to MD5 HMAC in SSLv3.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
if you read bug 732390 you should read comment#2 in that bug. You can also look in the "Patch v1" provided by kaie >-pref("security.ssl3.rsa_rc4_128_md5", true); >+pref("security.ssl3.rsa_rc4_128_md5", false);
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → DUPLICATE
I also wrote a patch for this issue in bug 732630. The security.ssl3.rsa_rc4_128_md5 cipher suite is still safe because it uses MD5 only in HMAC. At the PSM level, I recommend simply removing that cipher suite. security.ssl3.rsa_rc4_128_sha1 can be used as a replacement when the speed of RC4 is desired.
I'm reopening this bug - it's no longer a duplicate of 732630 - because we no longer plan to disabled that cipher suite in that bug.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---
I'm resolving this as wontfixed. In a conf call last week we decided it's still fine to use this cipher suite.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → WONTFIX
For the record, the reason this bug was resolved without a patch because there is nothing to "fix"; there is no (known) security issue with this cipher suite as explained by Wan-Teh in comment 4, and supporting the cipher suite is required for compatibility with some number of websites. I am changing the resolution to clarify that.
Resolution: WONTFIX → INVALID
I turned off TLS_RSA_WITH_RC4_128_MD5 in Google Chrome for a few days. I discovered that a few websites enable TLS_RSA_WITH_RC4_128_MD5 only, and several major websites (including Facebook, Charles Schwab, E*TRADE, and Amazon.com) prefer TLS_RSA_WITH_RC4_128_MD5. So TLS_RSA_WITH_RC4_128_MD5 is actually a very popular cipher suite.
You need to log in before you can comment on or make changes to this bug.