Hacker News new | past | comments | ask | show | jobs | submit login

The point of my rule is that if you're going to push new client code, you push a real fix, not a workaround.



Why not push both?

Why can't browsers "suggest" that they don't use RC4 any more, and when they still use RC4 (as they will almost certainly do) they use the workaround.


Then it seems like the right solution is to push TLS 1.2 + AES-GCM along with fixes for Lucky 13, and use CBC for everything before 1.2 and GCM for everything after it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: