Reginald Dwyer

IETF calling for RC4 to be dropped from TLS

Discussion created by Reginald Dwyer on Dec 1, 2014
Latest reply on Feb 19, 2015 by tlussnig

The IETF is callng for comments on a draft proposal that RC4 no longer be supported by clients and servers negotiating TLS connections.

 

https://datatracker.ietf.org/doc/draft-ietf-tls-prohibiting-rc4/

 

The closing date for comments is the 10th December.

 

Will Qualsys be amending the SSL checks to penalise RC4 more strongly? A server using nothing but RC4 can still get an A- grade despite it being a weak cipher and not supporting forward secrecy.

 

In fact examples such as bank.barclays.co.uk (major online banking portal) still rates an A- grade despite triggering multiple warnings (SHA 1 cert, RC4, No Forward Secrecy, SSL 3, etc) which doesn't seem right when sites which do none of those things, but which don't support forward secrecy with ancient versions of Internet Explorer get capped at an A.

Outcomes