[Ach] RC4 ostensibly fully b0rken

Pepi Zawodsky pepi.zawodsky at maclemon.at
Thu Nov 7 15:51:13 CET 2013

According to Jake Appelbaum the NSA has the ability to decrypt RC4 in realtime now. (A publication about this should be available soon.) I honestly trust Jake when he just drops a statement like this. RC4 has had it's fair share of cryptanalysis. Knowing that RC4 shall now be considered cleartext makes it harder to mitigate BEAST serverside.

I guess we have to take the plunge and actually recommend to take XP boxes OFF of the internet for real. We cannot take measures to make “secure” communications with theses boxes by server side configuration without knowingly compromising everyone else. So my take is to drop XP.

I'll add more info on the RC4 issues as soon as I get them!

On 07.11.2013, at 00:07, L. Aaron Kaplan <kaplan at cert.at> wrote:
> which will break if we do not give them RC4 and similar known-weak settings

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131107/6c2e98dd/attachment.sig>

More information about the Ach mailing list