NoahKunin
commented
10 years ago Got it, I would prefer to make this simpler. Let's do some research and posit a date certain at which we will not support Windows XP-SPx period and go from there.
Closed NoahKunin closed 9 years ago
NoahKunin
commented
10 years ago Got it, I would prefer to make this simpler. Let's do some research and posit a date certain at which we will not support Windows XP-SPx period and go from there.
seanherron
commented
10 years ago Suggesting we move the conversation re: XP EOL to #16 - I'm going to comment there.
konklone
commented
10 years ago I'll do some extra research to see if I can expunge RC4 from the current recommended ELB setup.
konklone
commented
10 years ago Though I note that CloudFront currently uses RC4 as their IE8/XP fallback, which we can do nothing about for those sites: https://www.ssllabs.com/ssltest/analyze.html?d=d37uca4in84hpc.cloudfront.net
konklone
commented
9 years ago Done for us.
The only reason to support it is Windows XP. This is a carveout for IE8+WinXP, but IE7+Vista doesn't need it, and can work with DH cipher-suites.
By requiring SHA-2 for our certificates, we've already abandoned support for WinXP SP2, but can support WinXP SP3. WinXP SP3 is what's holding us back from using Server Name Indication and ECDSA (elliptic curve) certificates.
So we could factor this into our XP split -- I had been thinking of making two tracks of standards for us. If WinXP SP3 must be supported, then: use this set of ciphers, an RSA cert, and no SNI. If WinXP can be abandoned, we can kill
RC4-SHA, use ECDSA certs, and SNI.