BEAST and RC4

July 18, 2012 by Bruce Morton     No Comments

In order to mitigate a BEAST attack, the advice is to prioritize RC4 cipher suites on your Web server to avoid the use of vulnerable cypher block chaining (CBC) suites. But how well do the clients support RC4?

Ivan Ristić of Qualys did some tests at SSL Labs and saw that only 45 of 48,481 unique IP addresses (0.09 percent) did not support RC4. Of those, he concludes that most disabled RC4 for one reason or another.

The recommendation is still to prioritize RC4 cipher suites; however with such great support of RC4, you may be able to eliminate your Web server’s support for CBC.

About

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

Add to the Conversation