Closed thomaszbz closed 6 years ago
enriquepiatti
commented
6 years ago Hi Thomas, thanks for pointing that. But do you think this is something to fix? I'm not an expert in TLS but that refers only to the supported ciphers, I think the final cipher to be used is negotiated by the browser, and I guess the current browsers won't use RC4. But maybe you have more experience on this and can tell me more about the problem this could cause.
thomaszbz
commented
6 years ago Well, yes. E. g. Microsoft removed RC4 support last year (which is not so long ago): https://support.microsoft.com/en-us/help/3151631/rc4-cipher-is-no-longer-supported-in-internet-explorer-11-or-microsoft
The longer you wait, the securer it gets ;-) The sweet spot for removing RC4 might be over.
enriquepiatti
commented
6 years ago OK, but what could be the issue then? the browsers are not using RC4 anymore, so what is the problem with support the format? it won't be used anyway right?
thomaszbz
commented
6 years ago Well, to be sure, RC4 should just be turned off in 2017.
enriquepiatti
commented
6 years ago I asked to my server admin and he said cannot change that because of the SSL provider, but I don't see any real risk on that, RC4 won't be used, if someone is using RC4 is because is using a really old browser and hence security is not a concern for him (or at least will have bigger problems to be worried). Reopen please if you think this could be a real issue for someone.
Please have a look at
https://www.ssllabs.com/ssltest/analyze.html?d=magicento.com&hideResults=on
The RC4 cipher is considered insecure and should be disabled.
Qualys also warns about missing forward secrecy, but in respect to the downloads, secrecy should not be important.