1

We moved to RC4-MD5 as a mitigation to BEAST attack. But our other teams are saying to use DES-CBC3-SHA

I want to know if DES-CBC3-SHA is also equivalent secure and mitigates BEAST as well ?

Also are the browser compliance different for these ciphers ?

Novice User
  • 2,088
  • 7
  • 26
  • 38
  • 1
    Take a look at Mozilla's [recommended ciphersuite](https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite). None of the ciphers you list is recommended. BEAST is mitigated by upgrading to at least TLS 1.1. – Stephen Touset May 06 '14 at 00:54

1 Answers1

2

DES-CBC3-SHA is affected by BEAST, but it might still be a better choice than RC4-MD5, because BEAST is considered mostly fixed on the client side while it gets easier every day to crack RC4. See also https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat. The best is of course to move to TLS1.1 or higher, but not all clients can do this.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424