Pale Moon forum

Trying to login at http://www.surething.com/ at the top-right Login button fails, and only works if security.ssl3.rsa_rc4_128_sha is set to True. Found this out on the Secure connections error FAQ entry (point 2 - RC4).

It mentions that "all main, current browsers will drop support for RC4 in early 2016" but since other browsers can access that page normally the question is, is it a case of other browsers still supporting this type of connection or is it something else? Thanks.

Qualys scores the site as a 'C', primarily for the lack of TLS 1.2, which means they don't have a secure protocol: https://www.ssllabs.com/ssltest/analyze ... ething.com

No doubt some (many?) browsers would fallback by default to the old and insecure protocols necessary to connect to it, maybe without any obvious warning either.

If you do lower your defences to allow connections to such sites as these, please reset them after use. Pale Moon Commander is a great help with modifying protocol access/exclusions (and a lot more), in case anyone doesn't have it.

^ I am not the OP, but thanks for the info --- I've returned the pref security.ssl3.rsa_rc4_128_sha back to default false, since I do not use this ( http://www.surething.com/) website anyway.... better to be more secure when surfing the web....

back2themoon wrote:It mentions that "all main, current browsers will drop support for RC4 in early 2016" but since other browsers can access that page normally the question is, is it a case of other browsers still supporting this type of connection or is it something else?

The only other cipher that is supported is 112-bit 3DES, and that is what other browsers will use.

3DES is known weak because of SWEET32 and similar small-block attacks, and Pale Moon disables it as well. If you have the choice between the two, 3DES is (marginally) better, but neither is a good choice. 3DES will also be phased out but I don't know the expected time frame for that. If it was up to me, mainstream browsers would disable it yesterday.