[Ach] RC4 ostensibly fully b0rken

christian mock cm at coretec.at
Thu Nov 7 16:22:07 CET 2013

On Thu, Nov 07, 2013 at 03:51:13PM +0100, Pepi Zawodsky wrote:

> I guess we have to take the plunge and actually recommend to take XP
> boxes OFF of the internet for real. We cannot take measures to make
> “secure” communications with theses boxes by server side
> configuration without knowingly compromising everyone else. So my
> take is to drop XP.

I beg to differ[0] -- firstly, it's Internet Exploder and not XP, as
firefox does just fine. Secondly, even with IE it's possible to get
around RC4 (although the question remains whether DES-CBC3 is better).

This is the config I'm running on https://www.tahina.priv.at:

SSLHonorCipherOrder on

which results in FF (under XP and linux) and Dolphin on Android to
negotiate "DHE-RSA-AES256-SHA", and IE 8 does "DES-CBC3-SHA".


[0] not that I wouldn't like to see all windows boxes kicked from the

Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

CoreTEC: Web Application Audit - Damit so etwas nicht passiert!



More information about the Ach mailing list