On Fri, Feb 20, 2015 at 06:25:44PM +0100, Kurt Roeckx wrote: > On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote: > > What servers, and what clients are we talking about here? > > You might want to look at those stats: > https://lists.fedoraproject.org/pipermail/security/2015-February/002069.html
I did, it's only about web servers and the numbers are not so different from the ones I quoted, so it only serves to reinforce my earlier argument, no? | RC4 still remains as the 3rd most popular cipher, despite loosing 1.3% | share, at 80.5%. While servers that support only RC4 ciphers lost only | 0.07% it places them at an all time low of 0.79% (3712 servers). Still | a large part (13.8%) of servers prefer RC4 even if client supports | better ciphers, a drop of only 1.4%. Significant number of servers | also force RC4 in TLS1.1 or TLS1.2: 8.75% (drop of 0.7%). | Supported Ciphers Count Percent | -------------------------+---------+------- ... | RC4 377778 80.5871 | RC4 Only 3712 0.7918 | RC4 Preferred 64613 13.7832 | RC4 forced in TLS1.1+ 41031 8.7527 | x:FF 29 RC4 Only 541 0.1154 | x:FF 29 RC4 Preferred 70622 15.065 | x:FF 29 incompatible 136 0.029 ... => Disabling RC4 leads to better ciphers being used accross the board. Leaving it on will lead to RC4 still being used in a surprising number of cases even though better ciphers would be available. There is a small and slowly shrinking number of web servers that support nothing else, but see my remarks about web browsers in my previous email. Florian -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
