Hacker News new | past | comments | ask | show | jobs | submit login

And if it breaks connections to servers set up to use RC4 specifically?

Sure, the browser should stop "suggesting" they use RC4. That is the browser's right. But if the server decides to use it anyway then they use it.

Also you kind of break your own rule. If we cannot suggest things which Microsoft or Mozilla have to do then we cannot suggest they alter their ciphersuite either...




The point of my rule is that if you're going to push new client code, you push a real fix, not a workaround.


Why not push both?

Why can't browsers "suggest" that they don't use RC4 any more, and when they still use RC4 (as they will almost certainly do) they use the workaround.


Then it seems like the right solution is to push TLS 1.2 + AES-GCM along with fixes for Lucky 13, and use CBC for everything before 1.2 and GCM for everything after it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: