killing RC4 in Chrome

Andy Isaacson adi at hexapodia.org
Thu Sep 18 13:49:26 PDT 2014


On Thu, Sep 18, 2014 at 04:16:53PM -0400, Ted Smith wrote:
> On Thu, 2014-09-18 at 20:29 +0200, rysiek wrote:
> > Dnia czwartek, 18 wrzeĊ›nia 2014 11:10:55 Ted Smith pisze:
> > > There's sort of a chicken/egg problem here.
> > > 
> > > You can actually just disable them in configuration; in Firefox, you can
> > > just go to about:config and set all the security.*.rc4* to false instead
> > > of true.
> > > 
> > > However, this breaks a *lot* of sites, including some big ones.
> > 
> > Time for a little name and shame?
> 
> This was a while ago and I've forgotten, though it was enough to be
> annoying. 
> 
> It'd be pretty easy to write a script that harvested the allowed
> ciphersuites from the top Alexa sites, if you were really interested.
> The EFF's HTTPS Observatory might also have this information.

Plenty of sites switched *to* RC4 during the BEAST attack mitigation.
Some may not have switched back.

-andy



More information about the cypherpunks mailing list