Skip to main content

RC4, CBC, what the …?

Mar

28

2013

Time to read

Read so far

Written by: 

Bruce Morton

Time to read

Written by: 

We had the BEAST attack and it was said, “Prioritize RC4 cipher suite.”

We had the Lucky Thirteen attack and it was said again, “Prioritize RC4.”

We had the AlFBPPS attack and it was said, “RC4 is old and crummyCBC-mode would be better, if only it wasn’t already attacked by BEAST and Lucky Thirteen. Everyone should use TLS 1.2.”

RC4, CBC, what the …?

We need to support TLS 1.2? Well, we don’t. Although it was published in 2008, browsers and servers are still readily deployed with TLS 1.2 not enabled.

Where were the guys to say, “Hey, we really don’t want to prefer outdated RC4.” Where were the guys to say, “Hey, developers, why don’t your systems support TLS 1.2, by default, out of box?”

Why are people thinking up improvements, getting them approved in standards, and then nobody mandating that they be implemented and deployed?

I wish I knew.

As we move forward, Ivan Ristić has some great recommendations for each stakeholder to consider implementing.

photo-bruce-morton
Bruce Morton
Director for Certificate Services
Bruce Morton is a pioneering figure in the PKI and digital certificate industry. He currently serves as Director for Certificate Services at Entrust, where he has been employed since 1997. His day-to-day responsibilities include managing standards implementations, overseeing Entrust’s policy authority, and monitoring Entrust Certificate Services for industry compliance.
View all of Bruce's Posts
Facebook