Andy Isaacson wrote:
Ted Smith wrote:
It'd be pretty easy to write a script that harvested the allowed ciphersuites from the top Alexa sites, if you were really interested. The EFF's HTTPS Observatory might also have this information.
Plenty of sites switched *to* RC4 during the BEAST attack mitigation. Some may not have switched back.
So, I ran a couple of quick tests, and checked for RC4... and got 1903 results for the Alexa Top 500. Your theory about websites not switching back seems to hold water. It's a github repo, since apparently Github doesn't want me to create a 17000-line gist. (Fascists!) Included are the list of supported cipher suites for 494/500 websites along with instructions on verifying/recreating the results: https://github.com/glamrock/ciphersuites The nmap command I used was: sudo nmap -sT -PN -p 443 -iL=alexa.csv --script=ssl-enum-ciphers.nse -oN=alexa_ciphers.txt Which only checks port 443. So if there's some magic port number you want to check (say, 9050 or 5222), be sure to swap that out first. If you want XML output, use -oX instead of -oN (and it's easy to convert xml to json if you're interested in data visualization). The nmap script used was created by Bojan Zdrnja, praised be his name. best, Griffin -- "I believe that usability is a security concern; systems that do not pay close attention to the human interaction factors involved risk failing to provide security by failing to attract users." ~Len Sassaman