[Ach] RC4 ostensibly fully b0rken
cm at coretec.at
Thu Nov 7 16:22:07 CET 2013
On Thu, Nov 07, 2013 at 03:51:13PM +0100, Pepi Zawodsky wrote:
> I guess we have to take the plunge and actually recommend to take XP
> boxes OFF of the internet for real. We cannot take measures to make
> “secure” communications with theses boxes by server side
> configuration without knowingly compromising everyone else. So my
> take is to drop XP.
I beg to differ -- firstly, it's Internet Exploder and not XP, as
firefox does just fine. Secondly, even with IE it's possible to get
around RC4 (although the question remains whether DES-CBC3 is better).
This is the config I'm running on https://www.tahina.priv.at:
SSLCipherSuite "EDH+aRSA HIGH MEDIUM !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS !RC4"
which results in FF (under XP and linux) and Dolphin on Android to
negotiate "DHE-RSA-AES256-SHA", and IE 8 does "DES-CBC3-SHA".
 not that I wouldn't like to see all windows boxes kicked from the
Christian Mock Wiedner Hauptstr. 15
Senior Security Engineer 1040 Wien
CoreTEC IT Security Solutions GmbH +43-1-5037273
FN 214709 z
CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
More information about the Ach