[22:00] <tomreyn> do you have an opionion as to whether firefox on 22.04 LTS should still support weak CBC cipher suites, thus connect to https://cbc.badssl.com without a warning?
[22:01] <tomreyn> because that's what it does in todays' canary build
[22:02] <tomreyn> https://i.imgur.com/trja515.png
[22:02] <sarnold> we pretty much just defer to mozilla to make good choices
[22:03] <sarnold> certainly in an ideal world cbc would be forgotten by now, but there's loads of websites that don't yet do anything better, and mozilla's in a position to work with other browser vendors to communicate crypto protocol changes, in a way that we are not in a position to do that..
[22:03] <tomreyn> https://bugzilla.mozilla.org/show_bug.cgi?id=1227524 suggests this should no longer be so?
[22:06] <tomreyn> well, it can still be disabled in later firefox versions in 22.04, maybe that will happen.
[22:07] <sarnold> it probably will, mozilla's disabled older ciphers / protocols in the past and they probably will in the future, and probably within 22.04's lifetime
[22:08] <tomreyn> thanks for your replies, sarnold.
[22:10] <sdeziel> since the list of supported cipher is sent in the clear, tweaking it would increase the "fingerprintability" by (passive) network observers
[22:13] <tomreyn> well, have you run the panopticlick / coveryourtracks test (EFF) with an out of the box ubuntu installation lately?
[22:13] <sarnold> there's dozens of us! dozens!
[22:14] <tomreyn> :)
[22:29] <sdeziel> haha, but panopticlick looks at the various headers and other things it can sniff... the SSL handshake is visible to everyone on path so it's a different beast
[22:37] <tomreyn> yes, but this wouldn't create a unique match. a lot of sites use fingerprintjs these days, though.