Trying to login at http://www.surething.com/ at the top-right Login button fails, and only works if security.ssl3.rsa_rc4_128_sha is set to True. Found this out on the Secure connections error FAQ entry (point 2 - RC4).
It mentions that "all main, current browsers will drop support for RC4 in early 2016" but since other browsers can access that page normally the question is, is it a case of other browsers still supporting this type of connection or is it something else? Thanks.
Secure connection failed question (RSA-RC4-SHA)
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only. The main focus here is on Pale Moon on Windows. Please direct your questions that are specific for Linux and Mac to the dedicated boards for those operating systems.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only. The main focus here is on Pale Moon on Windows. Please direct your questions that are specific for Linux and Mac to the dedicated boards for those operating systems.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
-
back2themoon
- Board Warrior
- Posts: 1865
- Joined: 2012-08-19, 20:32
Secure connection failed question (RSA-RC4-SHA)
Safe Mode / clean profile info: Help/Restart in Safe Mode
Information to include when asking for support - How to apply user agent overrides
How to auto-fill passwords
Windows 10 Pro • Pale Moon x64 • Emsisoft Anti-Malware
Information to include when asking for support - How to apply user agent overrides
How to auto-fill passwords
Windows 10 Pro • Pale Moon x64 • Emsisoft Anti-Malware
Re: Secure connection failed question (RSA-RC4-SHA)
Qualys scores the site as a 'C', primarily for the lack of TLS 1.2, which means they don't have a secure protocol: https://www.ssllabs.com/ssltest/analyze ... ething.com
No doubt some (many?) browsers would fallback by default to the old and insecure protocols necessary to connect to it, maybe without any obvious warning either.
If you do lower your defences to allow connections to such sites as these, please reset them after use. Pale Moon Commander is a great help with modifying protocol access/exclusions (and a lot more), in case anyone doesn't have it.
No doubt some (many?) browsers would fallback by default to the old and insecure protocols necessary to connect to it, maybe without any obvious warning either.
If you do lower your defences to allow connections to such sites as these, please reset them after use. Pale Moon Commander is a great help with modifying protocol access/exclusions (and a lot more), in case anyone doesn't have it.
-
Pallid Planetoid
- Knows the dark side
- Posts: 3843
- Joined: 2015-10-06, 16:59
- Location: Los Angeles CA USA
Re: Secure connection failed question (RSA-RC4-SHA)
^ I am not the OP, but thanks for the info --- I've returned the pref security.ssl3.rsa_rc4_128_sha back to default false, since I do not use this ( http://www.surething.com/) website anyway.... better to be more secure when surfing the web.... 
Current Pale Moon(x86) Release | WIN10 | I5 CPU, 1.7 GHz, 6GB RAM, 500GB HD[20GB SSD]
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising
Formerly user Pale Moon Rising - to provide context involving embedded reply threads.
Good judgment comes from experience and a lot of that comes from bad judgment. - Will Rogers
Knowing Pale Moon is indisputably #1 is defined by knowing the totality of browsers. - Pale Moon Rising
Re: Secure connection failed question (RSA-RC4-SHA)
The only other cipher that is supported is 112-bit 3DES, and that is what other browsers will use.back2themoon wrote:It mentions that "all main, current browsers will drop support for RC4 in early 2016" but since other browsers can access that page normally the question is, is it a case of other browsers still supporting this type of connection or is it something else?
3DES is known weak because of SWEET32 and similar small-block attacks, and Pale Moon disables it as well. If you have the choice between the two, 3DES is (marginally) better, but neither is a good choice. 3DES will also be phased out but I don't know the expected time frame for that. If it was up to me, mainstream browsers would disable it yesterday.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
