[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] firefox about:config

On 4/21/2014 11:06 PM, grarpamp wrote:
> Browsers should have an option to log the ciphersuite
> used per site so users can review their own suite
> profile after some time period and adjust options accordingly.
> I saw one mandantory rsa_rc4_128_sha recently,
> forgot where though.

Forcing RC4 is pretty common.  For all the web servers out there that
don't natively support TLS 1.1+, (RHEL/CentOS 5.x and 6.0 <= 6.4, Debian
Squeeze, etc), RC4 is the *only* cipher available that isn't vulnerable
to the BEAST attack.  I'd expect to continue seeing the use of
RSA_RC4_128_SHA until RHEL 5.x goes EOL in March 2017 and Debian Squeeze
goes EOL in Feb 2016.

Theoretically, all the major browsers have been patched and server
admins could stop restricting connections to RC4, but I have a feeling
that the companies that perform PCI scans (for credit card processing)
still fail servers for BEAST vulnerability if they don't force RC4 for
TLS 1.0.

-- Mike
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to