The RC4 cipher flags in TBB must be set to "false" by default
Related to the obsolete/broken RC4 cipher, the TBB v5.0.3 about:config -> RC4 has 5 flags set to "true" by default
security.ssl3.ecdhe_ecdsa_rc4_128_sha;true security.ssl3.ecdhe_rsa_rc4_128_sha;true security.ssl3.rsa_rc4_128_md5;true security.ssl3.rsa_rc4_128_sha;true security.tls.unrestricted_rc4_fallback;true
Since the RC4 was proved insecure and obsolete, the TBB must avoid using this by default
Trac:
Username: TORques