https://twitter.com/grittygrease/status/512328703938797568 <grittygrease> Are you planning on dropping RC4 support in Chrome anytime soon? <sleevi_> Not until I can work with @mikewest to get our mixed content detection improved and get @__apf__ on board for more sec-ui :)
This is what occurred to me when I saw your first few mails on this subject; how hard is it to just comment out the stupid algos in the source for FF/Chrome, and just recompile? TLS negotiates available algos, so there's probably a list somewhere of which algos to send to the server; you could change nothing but that list and the algos would simply never be advertised, negotiated, or used? On 18/09/14 03:31, coderman wrote:
https://twitter.com/grittygrease/status/512328703938797568
<grittygrease> Are you planning on dropping RC4 support in Chrome anytime soon?
<sleevi_> Not until I can work with @mikewest to get our mixed content detection improved and get @__apf__ on board for more sec-ui :)
-- Twitter: @onetruecathal, @formabiolabs Phone: +353876363185 Blog: http://indiebiotech.com miniLock.io: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM
There's sort of a chicken/egg problem here. You can actually just disable them in configuration; in Firefox, you can just go to about:config and set all the security.*.rc4* to false instead of true. However, this breaks a *lot* of sites, including some big ones. On Thu, 2014-09-18 at 11:26 +0100, Cathal Garvey wrote:
This is what occurred to me when I saw your first few mails on this subject; how hard is it to just comment out the stupid algos in the source for FF/Chrome, and just recompile? TLS negotiates available algos, so there's probably a list somewhere of which algos to send to the server; you could change nothing but that list and the algos would simply never be advertised, negotiated, or used?
On 18/09/14 03:31, coderman wrote:
https://twitter.com/grittygrease/status/512328703938797568
<grittygrease> Are you planning on dropping RC4 support in Chrome anytime soon?
<sleevi_> Not until I can work with @mikewest to get our mixed content detection improved and get @__apf__ on board for more sec-ui :)
-- Sent from Ubuntu
Dnia czwartek, 18 września 2014 11:10:55 Ted Smith pisze:
There's sort of a chicken/egg problem here.
You can actually just disable them in configuration; in Firefox, you can just go to about:config and set all the security.*.rc4* to false instead of true.
However, this breaks a *lot* of sites, including some big ones.
Time for a little name and shame? -- Pozdr rysiek
On Thu, 2014-09-18 at 20:29 +0200, rysiek wrote:
Dnia czwartek, 18 września 2014 11:10:55 Ted Smith pisze:
There's sort of a chicken/egg problem here.
You can actually just disable them in configuration; in Firefox, you can just go to about:config and set all the security.*.rc4* to false instead of true.
However, this breaks a *lot* of sites, including some big ones.
Time for a little name and shame?
This was a while ago and I've forgotten, though it was enough to be annoying. It'd be pretty easy to write a script that harvested the allowed ciphersuites from the top Alexa sites, if you were really interested. The EFF's HTTPS Observatory might also have this information. -- Sent from Ubuntu
On Thu, Sep 18, 2014 at 04:16:53PM -0400, Ted Smith wrote:
On Thu, 2014-09-18 at 20:29 +0200, rysiek wrote:
Dnia czwartek, 18 września 2014 11:10:55 Ted Smith pisze:
There's sort of a chicken/egg problem here.
You can actually just disable them in configuration; in Firefox, you can just go to about:config and set all the security.*.rc4* to false instead of true.
However, this breaks a *lot* of sites, including some big ones.
Time for a little name and shame?
This was a while ago and I've forgotten, though it was enough to be annoying.
It'd be pretty easy to write a script that harvested the allowed ciphersuites from the top Alexa sites, if you were really interested. The EFF's HTTPS Observatory might also have this information.
Plenty of sites switched *to* RC4 during the BEAST attack mitigation. Some may not have switched back. -andy
Andy Isaacson wrote:
Ted Smith wrote:
It'd be pretty easy to write a script that harvested the allowed ciphersuites from the top Alexa sites, if you were really interested. The EFF's HTTPS Observatory might also have this information.
Plenty of sites switched *to* RC4 during the BEAST attack mitigation. Some may not have switched back.
So, I ran a couple of quick tests, and checked for RC4... and got 1903 results for the Alexa Top 500. Your theory about websites not switching back seems to hold water. It's a github repo, since apparently Github doesn't want me to create a 17000-line gist. (Fascists!) Included are the list of supported cipher suites for 494/500 websites along with instructions on verifying/recreating the results: https://github.com/glamrock/ciphersuites The nmap command I used was: sudo nmap -sT -PN -p 443 -iL=alexa.csv --script=ssl-enum-ciphers.nse -oN=alexa_ciphers.txt Which only checks port 443. So if there's some magic port number you want to check (say, 9050 or 5222), be sure to swap that out first. If you want XML output, use -oX instead of -oN (and it's easy to convert xml to json if you're interested in data visualization). The nmap script used was created by Bojan Zdrnja, praised be his name. best, Griffin -- "I believe that usability is a security concern; systems that do not pay close attention to the human interaction factors involved risk failing to provide security by failing to attract users." ~Len Sassaman
On Thu, Sep 18, 2014 at 07:33:01PM -0400, Griffin Boyce wrote:
Andy Isaacson wrote:
Ted Smith wrote:
It'd be pretty easy to write a script that harvested the allowed ciphersuites from the top Alexa sites, if you were really interested. The EFF's HTTPS Observatory might also have this information.
Plenty of sites switched *to* RC4 during the BEAST attack mitigation. Some may not have switched back.
So, I ran a couple of quick tests, and checked for RC4... and got 1903 results for the Alexa Top 500. Your theory about websites not switching back seems to hold water.
Note that the BEAST mitigation consists of moving RC4 to the front of the list. RC4 was always a valid option on most server implementations. So if you're "checking for RC4" by looking at the preference list, you're overcounting. Instead you need to look at what the existing client implementations will choose when connecting to the given server preference list. -andy
participants (6)
-
Andy Isaacson -
Cathal Garvey -
coderman -
Griffin Boyce -
rysiek -
Ted Smith