Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers

[Geoffrey Keating <geoffk () geoffk org>]

Robert Drake <rdrake () direcpath com> writes:

> On 7/17/2015 4:26 AM, Alexander Maassen wrote:
> > Well, this block also affects people who have old management hardware
> > around using such ciphers that are for example no longer supported. In my
> > case for example the old Dell DRAC's. And it seems there is no way to
> > disable this block.
> >
> > Ok, it is good to think about security, but not giving you any chance to
> > make exceptions is simply forcing users to use another browser in order to
> > manage those devices, or to keep an old machine around that not gets
> > updated.
> Or just fallback to no SSL in some cases :(  We have some old vendor
> things that were chugging along until everyone upgraded firefox and
> then suddenly they stopped working.  The "fix" was to use the
> alternate non-SSL web port rather than upgrade because even though the
> software is old, it's too critical to upgrade it in-line.

This is going to happen, probably more and more in the future.
There's a point where making 99% of the web secure is better than
keeping an old 1% working; so if you have hardware that's in the 1% or
.1%, one day you'll wake up and there'll be an update out and that
update will break your old stuff.  Worse, in the future the update
might have already been applied overnight.

The next one of these that I know is coming, and just don't know
exactly when, is RC4.  Somewhere on the horizon is SHA-1.  Also:
<2048-bit RSA keys, <2048-bit DH, TLS 1.0.  There's probably others I
have forgotten.