On Thu, Sep 18, 2014 at 04:16:53PM -0400, Ted Smith wrote:
On Thu, 2014-09-18 at 20:29 +0200, rysiek wrote:
Dnia czwartek, 18 wrzeĊnia 2014 11:10:55 Ted Smith pisze:
There's sort of a chicken/egg problem here.
You can actually just disable them in configuration; in Firefox, you can just go to about:config and set all the security.*.rc4* to false instead of true.
However, this breaks a *lot* of sites, including some big ones.
Time for a little name and shame?
This was a while ago and I've forgotten, though it was enough to be annoying.
It'd be pretty easy to write a script that harvested the allowed ciphersuites from the top Alexa sites, if you were really interested. The EFF's HTTPS Observatory might also have this information.
Plenty of sites switched *to* RC4 during the BEAST attack mitigation. Some may not have switched back. -andy