Bug#785411: iceweasel: negotiates RC4 despite RFC 7465
brian m. carlson
sandals at crustytoothpaste.net
Fri May 15 22:16:24 UTC 2015
Package: iceweasel
Version: 38.0-1
Severity: normal
RFC 7465 forbids the use of RC4 in TLS because it is insecure. It
states that "TLS clients MUST NOT include RC4 cipher suites in the
ClientHello message."
However, when loading https://www.starbucks.com/card, opening the page
info dialog displays that Iceweasel is using TLS_RSA_WITH_RC4_128_SHA.
Because Iceweasel cannot have successfully negotiated RC4 without
including it in the ClientHello message, it is violating RFC 7465.
Please disable the use of RC4 in Iceweasel, as it is not sufficient to
ensure privacy and security.
-- Package-specific info:
-- Extensions information
Name: Adblock Plus
Location: ${PROFILE_EXTENSIONS}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
Status: enabled
Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: Ghostery
Location: ${PROFILE_EXTENSIONS}/firefox at ghostery.com.xpi
Status: enabled
Name: HTTPS-Everywhere
Location: ${PROFILE_EXTENSIONS}/https-everywhere at eff.org
Status: enabled
Name: RSS Icon In Awesombar
Location: ${PROFILE_EXTENSIONS}/rssicon at jasnapaka.com.xpi
Status: enabled
Name: Shumway
Location: ${PROFILE_EXTENSIONS}/shumway at research.mozilla.org
Status: user-disabled
Name: User Agent Switcher
Location: ${PROFILE_EXTENSIONS}/{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
Status: enabled
Name: XHTML Ruby Support
Location: ${PROFILE_EXTENSIONS}/{0620B69D-7B58-416d-A92A-0198860C2757}
Status: app-disabled
-- Plugins information
Name: Google Talk Plugin
Location: /opt/google/talkplugin/libnpgoogletalk.so
Package: google-talkplugin
Status: enabled
Name: Google Talk Plugin Video Renderer
Location: /opt/google/talkplugin/libnpo1d.so
Package: google-talkplugin
Status: enabled
Name: Shockwave Flash (11.2.202.429)
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled
-- Addons package information
ii google-talkplu 5.41.0.0-1 amd64 Google Talk Plugin
ii iceweasel 38.0-1 amd64 Web browser based on Firefox
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.0.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iceweasel depends on:
ii debianutils 4.5
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.28-1
ii libatk1.0-0 2.16.0-2
ii libc6 2.19-18
ii libcairo2 1.14.2-2
ii libdbus-1-3 1.8.18-1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.1-2+b2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-4
ii libgcc1 1:5.1.1-5
ii libgdk-pixbuf2.0-0 2.31.1-2+b1
ii libglib2.0-0 2.44.0-3
ii libgtk2.0-0 2.24.25-3
ii libhunspell-1.3-0 1.3.3-3
ii libnspr4 2:4.10.8-1
ii libnss3 2:3.19-1
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.10.1-1
ii libstartup-notification0 0.12-4
ii libstdc++6 5.1.1-5
ii libvpx1 1.3.0-3
ii libx11-6 2:1.6.3-1
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages iceweasel recommends:
ii gstreamer1.0-libav 1.4.4-2
ii gstreamer1.0-plugins-good 1.4.5-2
Versions of packages iceweasel suggests:
pn fonts-mathjax <none>
ii fonts-oflb-asana-math 000.907-6
ii fonts-stix [otf-stix] 1.1.1-3
ii libcanberra0 0.30-2.1
ii libgnomeui-0 2.24.5-3
ii libgssapi-krb5-2 1.12.1+dfsg-20
pn mozplugger <none>
ii otf-stix 1.1.1-1
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150515/d9e7e25d/attachment.sig>
More information about the pkg-mozilla-maintainers
mailing list