killing RC4 in Chrome [now with certificate data!]

Andy Isaacson adi at hexapodia.org
Thu Sep 18 17:23:06 PDT 2014


On Thu, Sep 18, 2014 at 07:33:01PM -0400, Griffin Boyce wrote:
> Andy Isaacson wrote:
> >Ted Smith wrote:
> >>It'd be pretty easy to write a script that harvested the allowed
> >>ciphersuites from the top Alexa sites, if you were really interested.
> >>The EFF's HTTPS Observatory might also have this information.
> >
> >Plenty of sites switched *to* RC4 during the BEAST attack mitigation.
> >Some may not have switched back.
> 
>   So, I ran a couple of quick tests, and checked for RC4... and got
> 1903 results for the Alexa Top 500.  Your theory about websites not
> switching back seems to hold water.

Note that the BEAST mitigation consists of moving RC4 to the front of
the list.  RC4 was always a valid option on most server implementations.

So if you're "checking for RC4" by looking at the preference list,
you're overcounting.  Instead you need to look at what the existing
client implementations will choose when connecting to the given server
preference list.

-andy



More information about the cypherpunks mailing list