GitHub 預定再兩個星期後廢止 HTTPS 連線的 RC4

GitHub 在「Improving GitHub's SSL setup」這邊開頭就提到要拔掉 RC4

To keep GitHub as secure as possible for every user, we will remove RC4 support in our SSL configuration on github.com and in the GitHub API on January 5th 2015.

看了一下日曆,算一算其實意思就是「放完假的星期一我們就來拔 RC4」XDDD

雖然 GitHub 的人說了 Windows XP + IE8 會沒辦法用,不過翻了「Qualys SSL Labs - Projects / User Agent Capabilities: IE 8 / XP」這頁,手動打開 TLS 1.0 後應該還有 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) 這兩個用 3DES 的 cipher 可以掙扎才對?

不過看 GitHub 目前的 HTTPS 設定,看起來沒打算支援這兩個:「Qualys SSL Labs - Projects / SSL Server Test / github.com」以及「Qualys SSL Labs - Projects / SSL Server Test / github.com」。

不過順便把 3DES 踢出清單也是比較安全啦...

Leave a Reply

Your email address will not be published. Required fields are marked *