Its simple: fallback = a MITM attacker can force fallback = youre pwned...
On 20 Feb 2015, at 19:42, Stefan Neufeind dane-users@stefan-neufeind.de wrote:
On 02/20/2015 07:26 PM, Patrick Ben Koetter wrote:
A little off topic for DANE users, but somehow in scope. You might consider disabling RC4 in your servers cipher suite. IETF released an RFC requiring
(...) that Transport Layer Security (TLS) clients and servers never negotiate the use of RC4 cipher suites when they establish connections. This applies to all TLS versions. This document updates RFCs 5246, 4346, and 2246. -- Prohibiting RC4 Cipher Suites, https://tools.ietf.org/rfc/rfc7465.txt
How about support (as a fallback) for older clients? How "safe" (no pun intended) is it to disable as of today?
Kind regards, Stefan
Andreas Fink
CEO DataCell ehf CEO Backbone ehf
--------------------------------------------------------------- Tel: +41-61-6666330 Fax: +41-61-6666331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland E-Mail: andreas@fink.org www.datacell.com, www.backbone.is, www.finkconsulting.com www.fink.org --------------------------------------------------------------- Jabber/XMPP: andreas@fink.org ICQ: 8239353 Skype: andreasfink
Support the reboot of the internet into secure mode: http://bootstrap.is http://bootstrap.is/