Libravatar (obsolete)

Remove RC4 from libravatar-www

Bug #1163627 reported by François Marier
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar (obsolete)
Fix Released
High
François Marier

Bug Description

We should move away from RC4 on libravatar-www given that it's not all that great anymore:

  http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html

There's probably no need to change -seccdn though.

Revision history for this message
François Marier (fmarier) wrote :

Now that the main server is on wheezy, we should improve its TLS config:

  http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

Removing RC4, disabling compression and favouring the TLS 1.2 ciphers that give perfect forward secrecy.

Changed in libravatar:
importance: Medium → High
information type: Public → Public Security
François Marier (fmarier)
Changed in libravatar:
status: Confirmed → Fix Committed
François Marier (fmarier)
Changed in libravatar:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.