killing RC4 in Chrome [now with certificate data!]
Griffin Boyce
griffin at cryptolab.net
Thu Sep 18 16:33:01 PDT 2014
Andy Isaacson wrote:
> Ted Smith wrote:
>> It'd be pretty easy to write a script that harvested the allowed
>> ciphersuites from the top Alexa sites, if you were really interested.
>> The EFF's HTTPS Observatory might also have this information.
>
> Plenty of sites switched *to* RC4 during the BEAST attack mitigation.
> Some may not have switched back.
So, I ran a couple of quick tests, and checked for RC4... and got 1903
results for the Alexa Top 500. Your theory about websites not switching
back seems to hold water.
It's a github repo, since apparently Github doesn't want me to create
a 17000-line gist. (Fascists!) Included are the list of supported
cipher suites for 494/500 websites along with instructions on
verifying/recreating the results:
https://github.com/glamrock/ciphersuites
The nmap command I used was: sudo nmap -sT -PN -p 443 -iL=alexa.csv
--script=ssl-enum-ciphers.nse -oN=alexa_ciphers.txt
Which only checks port 443. So if there's some magic port number you
want to check (say, 9050 or 5222), be sure to swap that out first. If
you want XML output, use -oX instead of -oN (and it's easy to convert
xml to json if you're interested in data visualization). The nmap
script used was created by Bojan Zdrnja, praised be his name.
best,
Griffin
--
"I believe that usability is a security concern; systems that do
not pay close attention to the human interaction factors involved
risk failing to provide security by failing to attract users."
~Len Sassaman
More information about the cypherpunks
mailing list