On Fri, Aug 16, 2013 at 9:25 PM, C. Scott Ananian <cananian(a)wikimedia.org>wrote;wrote:
That said, I'm not part of the operations team
either so I can't answer
definitively. I agree that it would probably be useful to have more formal
progress reporting. "Can't disable RC4 in the cipher suite until more than
N% of our readers are using <a set of known good browsers>" for example.
There has been discussion elsewhere on wmf lists about metrics reporting.
Once the blockers were quantified, it would be easier for interested
people to 'count the days' until greater security could be enforced, or to
bring pressure to bear on upstream providers (of the chrome browser, of DNS
root zones, etc) where security fixes are needed.
To be fair, I'm really only talking about non-restrictive changes. For
example, right now we *only* have RC4. Rather than disable RC4 (which would
have consequences), I'm saying why haven't other normal ciphers been
enabled? I don't foresee us doing anything like "all HTTPS for everybody"
anytime in the near future.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com