Bug#785411: iceweasel: negotiates RC4 despite RFC 7465

brian m. carlson sandals at crustytoothpaste.net
Fri May 15 22:16:24 UTC 2015 

Package: iceweasel
Version: 38.0-1
Severity: normal

RFC 7465 forbids the use of RC4 in TLS because it is insecure.  It
states that "TLS clients MUST NOT include RC4 cipher suites in the
ClientHello message."

However, when loading https://www.starbucks.com/card, opening the page
info dialog displays that Iceweasel is using TLS_RSA_WITH_RC4_128_SHA.
Because Iceweasel cannot have successfully negotiated RC4 without
including it in the ClientHello message, it is violating RFC 7465.

Please disable the use of RC4 in Iceweasel, as it is not sufficient to
ensure privacy and security.

-- Package-specific info:

-- Extensions information
Name: Adblock Plus
Location: ${PROFILE_EXTENSIONS}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: Ghostery
Location: ${PROFILE_EXTENSIONS}/firefox at ghostery.com.xpi
Status: enabled

Name: HTTPS-Everywhere
Location: ${PROFILE_EXTENSIONS}/https-everywhere at eff.org
Status: enabled

Name: RSS Icon In Awesombar
Location: ${PROFILE_EXTENSIONS}/rssicon at jasnapaka.com.xpi
Status: enabled

Name: Shumway
Location: ${PROFILE_EXTENSIONS}/shumway at research.mozilla.org
Status: user-disabled

Name: User Agent Switcher
Location: ${PROFILE_EXTENSIONS}/{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
Status: enabled

Name: XHTML Ruby Support
Location: ${PROFILE_EXTENSIONS}/{0620B69D-7B58-416d-A92A-0198860C2757}
Status: app-disabled

-- Plugins information
Name: Google Talk Plugin
Location: /opt/google/talkplugin/libnpgoogletalk.so
Package: google-talkplugin
Status: enabled

Name: Google Talk Plugin Video Renderer
Location: /opt/google/talkplugin/libnpo1d.so
Package: google-talkplugin
Status: enabled

Name: Shockwave Flash (11.2.202.429)
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled


-- Addons package information
ii  google-talkplu 5.41.0.0-1   amd64        Google Talk Plugin
ii  iceweasel      38.0-1       amd64        Web browser based on Firefox

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages iceweasel depends on:
ii  debianutils               4.5
ii  fontconfig                2.11.0-6.3
ii  libasound2                1.0.28-1
ii  libatk1.0-0               2.16.0-2
ii  libc6                     2.19-18
ii  libcairo2                 1.14.2-2
ii  libdbus-1-3               1.8.18-1
ii  libdbus-glib-1-2          0.102-1
ii  libevent-2.0-5            2.0.21-stable-2
ii  libffi6                   3.1-2+b2
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-4
ii  libgcc1                   1:5.1.1-5
ii  libgdk-pixbuf2.0-0        2.31.1-2+b1
ii  libglib2.0-0              2.44.0-3
ii  libgtk2.0-0               2.24.25-3
ii  libhunspell-1.3-0         1.3.3-3
ii  libnspr4                  2:4.10.8-1
ii  libnss3                   2:3.19-1
ii  libpango-1.0-0            1.36.8-3
ii  libsqlite3-0              3.8.10.1-1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                5.1.1-5
ii  libvpx1                   1.3.0-3
ii  libx11-6                  2:1.6.3-1
ii  libxcomposite1            1:0.4.4-1
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.1-2+b2
ii  libxrender1               1:0.9.8-1+b1
ii  libxt6                    1:1.1.4-1+b1
ii  procps                    2:3.3.9-9
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages iceweasel recommends:
ii  gstreamer1.0-libav         1.4.4-2
ii  gstreamer1.0-plugins-good  1.4.5-2

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
ii  fonts-oflb-asana-math  000.907-6
ii  fonts-stix [otf-stix]  1.1.1-3
ii  libcanberra0           0.30-2.1
ii  libgnomeui-0           2.24.5-3
ii  libgssapi-krb5-2       1.12.1+dfsg-20
pn  mozplugger             <none>
ii  otf-stix               1.1.1-1

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150515/d9e7e25d/attachment.sig>

More information about the pkg-mozilla-maintainers mailing list