[Wontfix] Accept RC4 connections but indicate low security

[squarefractal]

At present, PM does not allow any RC4 connections unless it is explicitly set to do so from about:config. However, since it breaks a fair number of websites as evident from the forum threads, I have a suggestion: PM should allow RC4 connections, but it should also show a low security indicator in the address bar and specify this in the site info dropdown and the page info dialog.

[nostril]

You're not serious, are you?

Prioritising convenience over security is plain wrong.

[x-15a2]

PM should allow RC4 connections..

No thanks. Web sites should have proper security.

[megaman]

No thanks. Web sites should have proper security.

Of course, but until sites do have this "Proper Security," we will continue being badgered about this RC4 problem.
If we can automatically inform the sites of their risk, that would be awesome.

[dark_moon]

Just no.
If your banking site use weak security then contact the admin and not use it since its fixed, because RC4 is a big security hole.
I never see a important site which use RC4 only btw.

[squarefractal]

I understand the sentiment expressed here and it would be obviously better if servers would use a better encryption method than RC4, however, unless major browsers get around to disabling RC4 and sites take action on that (i.e. disabling RC4), there are many users who would just leave Pale Moon because it "doesn't work".

It's kind of sad that such people would be leaving a browser that provides them better security, but that happens to be the truth.

[dark_moon]

Then let they leave. Pale Moon didn't need a way to open a website at any security costs, like Firefox.
Another users will join Pale Moon because we have better security settings then Firefox and the most users prefer a secure browser.

[New Tobin Paradigm]

What Firefox is doing is they are setting up a whitelist for RC4 only websites.. This is just as dangerous as leaving it on. Not only is the security still an issue but then you have an entity telling you.. Oh it is ok to go to this site but not another. It creates a situation where organizations can get away with poor security by means of arbitrary criteria dictated by the entity maintaining the whitelist.

Connect at all costs if we decide you should be allowed to.

Very slippery slope if you ask me. It also promotes favoritism. It is not the job of the entity behind the web browser to be bias tword or dictating who gets special treatment ESPECIALLY when it comes to security.

[LimboSlam]

RC4 is a security risk I would not take, even if killed my favorite websites to visit. Just switch to a different browser for that certain website and then back to Pale Moon for your regular browsing needs.

[New Tobin Paradigm]

The risk is not altered depending on the browser. Using Pale Moon or using Firefox or using Chrome.. The cipher is not trustworthy anymore. Thus the connection and the data being exchanged is NOT reliably secure.

[Moonchild]

Another thing to keep in mind is that this is only a problem where sites exclusively use RC4, which is bad to begin with. The RFC also states that servers and clients MUST NOT accept the connection. No exceptions. Catering to sites that only offer RC4 by allowing them to connect anyway is not a pressing reason for those server operators to change and you will keep an insecure status quo. See also the "secure renegotiation" and TLS intolerance insecurity where we've seen this exact same thing before: clients connecting "at all costs" and server operators not being aware of, or unwilling to, use proper security. Down to the point where workarounds for workarounds have to be made (SCSV in that case) when an exploit for the workaround is found.

So, a definite no. RC4 needs to be off. No exceptions, no whitelisting. If server operators "don't care" about adding at least one acceptable cipher to their offered ciphers, then they obviously also don't care about your security while operating a "secure" server (mind the quotes there), and should not be granted the privilege of your patronage.

[squarefractal]

The RFC also states that servers and clients MUST NOT accept the connection. No exceptions.

I was not aware of the RFC, thank you for bringing it to my attention. I was under the impression that this was by the PM dev(s) and not required by standard.

So it turns out that PM is actually doing the right thing, and the "[wontfix]" is appropriate.