[Cryptography] RC4 again (actual security, scalability and other discussion)

Stephen Farrell stephen.farrell at cs.tcd.ie
Mon Mar 10 19:06:33 EDT 2014

On 03/10/2014 08:25 PM, Salz, Rich wrote:
>> Imagine going to PKIX and saying "oh, RC4 is fine, but can you make
>>  SSL opportunistic and phase out HTTP in favour of HTTPS, please? 
>> Pretty please?"
> I was at the IETF last week.
> For HTTP/2, all of Firefox, Chrome, and IE are all doing (immediately
> or soon after) various degrees of http: URI's over TLS.

I wish that were clearly true; s/all of/some of/ is more correct
as I understand it. A few browser folk are actually arguing to aim
for much more https and less http, which agrees with Ian's post,
but without afaik any evidence that content authors will move at
all, which'd seem necessary to me. That position just puzzles me.

Personally, I'd love to see more http URIs accessed via TLS and
am arguing for that. If some of you here agree with that and have
ways to get that message to your fav. browser folks doing so
might be useful. (A set of folks swamping an IETF list never
having contributed before is not a good way to do that btw.)

Separately, there's discussion in UTA about a bunch of ways of
doing opportunistic-foo and also of how to best deprecate RC4.

Any btw, PKIX is deceased.


> So, yes.
> -- Principal Security Engineer Akamai Technology Cambridge, MA
> _______________________________________________ The cryptography
> mailing list cryptography at metzdowd.com 
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list