On Thu, Sep 18, 2014 at 07:33:01PM -0400, Griffin Boyce wrote:
Andy Isaacson wrote:
Ted Smith wrote:
It'd be pretty easy to write a script that harvested the allowed ciphersuites from the top Alexa sites, if you were really interested. The EFF's HTTPS Observatory might also have this information.
Plenty of sites switched *to* RC4 during the BEAST attack mitigation. Some may not have switched back.
So, I ran a couple of quick tests, and checked for RC4... and got 1903 results for the Alexa Top 500. Your theory about websites not switching back seems to hold water.
Note that the BEAST mitigation consists of moving RC4 to the front of the list. RC4 was always a valid option on most server implementations. So if you're "checking for RC4" by looking at the preference list, you're overcounting. Instead you need to look at what the existing client implementations will choose when connecting to the given server preference list. -andy