There's sort of a chicken/egg problem here. You can actually just disable them in configuration; in Firefox, you can just go to about:config and set all the security.*.rc4* to false instead of true. However, this breaks a *lot* of sites, including some big ones. On Thu, 2014-09-18 at 11:26 +0100, Cathal Garvey wrote:
This is what occurred to me when I saw your first few mails on this subject; how hard is it to just comment out the stupid algos in the source for FF/Chrome, and just recompile? TLS negotiates available algos, so there's probably a list somewhere of which algos to send to the server; you could change nothing but that list and the algos would simply never be advertised, negotiated, or used?
On 18/09/14 03:31, coderman wrote:
https://twitter.com/grittygrease/status/512328703938797568
<grittygrease> Are you planning on dropping RC4 support in Chrome anytime soon?
<sleevi_> Not until I can work with @mikewest to get our mixed content detection improved and get @__apf__ on board for more sec-ui :)
-- Sent from Ubuntu