Killing RC4 (softly)
In 2011, the BEAST attack on TLS v1.0's CBC encryption mode was discovered, prompting experts to recommend using RC4-based cipher suites as a mitigation strategy. However, attacks on RC4 were demonstrated in 2013, making this choice problematic. Since then, modern browsers have started supporting TLS v1.2, but open-source web servers and OpenSSL do not allow for fine-grained control over cipher suite usage based on protocol version. To address this issue, a patch has been released for OpenSSL that disables RC4-based cipher suites for connections using TLS v1.1 and above while leaving them enabled for TLS v1.0 users. This ensures protection against both the BEAST attack and attacks on RC4.
Company
Cloudflare
Date published
Jan. 29, 2014
Author(s)
Piotr Sikora
Word count
401
Language
English
Hacker News points
None found.