[Pkg-openssl-devel] Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used
Florian Schlichting
fsfs at debian.org
Fri Feb 20 21:08:48 UTC 2015
On Fri, Feb 20, 2015 at 06:25:44PM +0100, Kurt Roeckx wrote:
> On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote:
> > What servers, and what clients are we talking about here?
>
> You might want to look at those stats:
> https://lists.fedoraproject.org/pipermail/security/2015-February/002069.html
I did, it's only about web servers and the numbers are not so different
from the ones I quoted, so it only serves to reinforce my earlier
argument, no?
| RC4 still remains as the 3rd most popular cipher, despite loosing 1.3%
| share, at 80.5%. While servers that support only RC4 ciphers lost only
| 0.07% it places them at an all time low of 0.79% (3712 servers). Still
| a large part (13.8%) of servers prefer RC4 even if client supports
| better ciphers, a drop of only 1.4%. Significant number of servers
| also force RC4 in TLS1.1 or TLS1.2: 8.75% (drop of 0.7%).
| Supported Ciphers Count Percent
| -------------------------+---------+-------
...
| RC4 377778 80.5871
| RC4 Only 3712 0.7918
| RC4 Preferred 64613 13.7832
| RC4 forced in TLS1.1+ 41031 8.7527
| x:FF 29 RC4 Only 541 0.1154
| x:FF 29 RC4 Preferred 70622 15.065
| x:FF 29 incompatible 136 0.029
...
=> Disabling RC4 leads to better ciphers being used accross
the board. Leaving it on will lead to RC4 still being used in a
surprising number of cases even though better ciphers would be
available. There is a small and slowly shrinking number of web servers
that support nothing else, but see my remarks about web browsers in my
previous email.
Florian
More information about the Pkg-openssl-devel
mailing list