killing RC4 in Chrome [now with certificate data!]

Griffin Boyce griffin at cryptolab.net
Thu Sep 18 16:33:01 PDT 2014


Andy Isaacson wrote:
> Ted Smith wrote:
>> It'd be pretty easy to write a script that harvested the allowed
>> ciphersuites from the top Alexa sites, if you were really interested.
>> The EFF's HTTPS Observatory might also have this information.
> 
> Plenty of sites switched *to* RC4 during the BEAST attack mitigation.
> Some may not have switched back.

   So, I ran a couple of quick tests, and checked for RC4... and got 1903 
results for the Alexa Top 500.  Your theory about websites not switching 
back seems to hold water.

   It's a github repo, since apparently Github doesn't want me to create 
a 17000-line gist. (Fascists!)  Included are the list of supported 
cipher suites for 494/500 websites along with instructions on 
verifying/recreating the results: 
https://github.com/glamrock/ciphersuites

   The nmap command I used was: sudo nmap -sT -PN -p 443 -iL=alexa.csv 
--script=ssl-enum-ciphers.nse -oN=alexa_ciphers.txt

   Which only checks port 443. So if there's some magic port number you 
want to check (say, 9050 or 5222), be sure to swap that out first. If 
you want XML output, use -oX instead of -oN (and it's easy to convert 
xml to json if you're interested in data visualization).  The nmap 
script used was created by Bojan Zdrnja, praised be his name.

best,
Griffin

-- 
"I believe that usability is a security concern; systems that do
not pay close attention to the human interaction factors involved
risk failing to provide security by failing to attract users."
~Len Sassaman



More information about the cypherpunks mailing list