On 4/21/2014 11:06 PM, grarpamp wrote: > Browsers should have an option to log the ciphersuite > used per site so users can review their own suite > profile after some time period and adjust options accordingly. > > I saw one mandantory rsa_rc4_128_sha recently, > forgot where though.
Forcing RC4 is pretty common. For all the web servers out there that don't natively support TLS 1.1+, (RHEL/CentOS 5.x and 6.0 <= 6.4, Debian Squeeze, etc), RC4 is the *only* cipher available that isn't vulnerable to the BEAST attack. I'd expect to continue seeing the use of RSA_RC4_128_SHA until RHEL 5.x goes EOL in March 2017 and Debian Squeeze goes EOL in Feb 2016. Theoretically, all the major browsers have been patched and server admins could stop restricting connections to RC4, but I have a feeling that the companies that perform PCI scans (for credit card processing) still fail servers for BEAST vulnerability if they don't force RC4 for TLS 1.0. -- Mike -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
