/srv/irclogs.ubuntu.com/2022/01/20/#ubuntu-security.txt

=== ravan__ is now known as ravan
tomreyn	do you have an opionion as to whether firefox on 22.04 LTS should still support weak CBC cipher suites, thus connect to https://cbc.badssl.com without a warning?	22:00
tomreyn	because that's what it does in todays' canary build	22:01
tomreyn	https://i.imgur.com/trja515.png	22:02
sarnold	we pretty much just defer to mozilla to make good choices	22:02
sarnold	certainly in an ideal world cbc would be forgotten by now, but there's loads of websites that don't yet do anything better, and mozilla's in a position to work with other browser vendors to communicate crypto protocol changes, in a way that we are not in a position to do that..	22:03
tomreyn	https://bugzilla.mozilla.org/show_bug.cgi?id=1227524 suggests this should no longer be so?	22:03
ubottu	Mozilla bug 1227524 in Core "Establish deprecation date for 3DES" [Normal, Resolved: Duplicate]	22:03
tomreyn	well, it can still be disabled in later firefox versions in 22.04, maybe that will happen.	22:06
sarnold	it probably will, mozilla's disabled older ciphers / protocols in the past and they probably will in the future, and probably within 22.04's lifetime	22:07
tomreyn	thanks for your replies, sarnold.	22:08
sdeziel	since the list of supported cipher is sent in the clear, tweaking it would increase the "fingerprintability" by (passive) network observers	22:10
tomreyn	well, have you run the panopticlick / coveryourtracks test (EFF) with an out of the box ubuntu installation lately?	22:13
sarnold	there's dozens of us! dozens!	22:13
tomreyn	:)	22:14
sdeziel	haha, but panopticlick looks at the various headers and other things it can sniff... the SSL handshake is visible to everyone on path so it's a different beast	22:29
tomreyn	yes, but this wouldn't create a unique match. a lot of sites use fingerprintjs these days, though.	22:37

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!