On Fri, Aug 16, 2013 at 9:25 PM, C. Scott Ananian cananian@wikimedia.orgwrote:
That said, I'm not part of the operations team either so I can't answer definitively. I agree that it would probably be useful to have more formal progress reporting. "Can't disable RC4 in the cipher suite until more than N% of our readers are using <a set of known good browsers>" for example. There has been discussion elsewhere on wmf lists about metrics reporting. Once the blockers were quantified, it would be easier for interested people to 'count the days' until greater security could be enforced, or to bring pressure to bear on upstream providers (of the chrome browser, of DNS root zones, etc) where security fixes are needed.
To be fair, I'm really only talking about non-restrictive changes. For example, right now we *only* have RC4. Rather than disable RC4 (which would have consequences), I'm saying why haven't other normal ciphers been enabled? I don't foresee us doing anything like "all HTTPS for everybody" anytime in the near future.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com