Highest Voted 'rc4' Questions - IT Security Stack Exchange

40

votes

1 answer

TLS: RC4 or not RC4?

I was reading another interesting article by Matthew Green today, saying that if you're using RC4 as your primary ciphersuite in SSL/TLS, now would be a great time to stop As far as I'm aware RC4 has been up'd on the list of ciphersuites to…

asked Mar 12 '13 at 21:45

Yoav Aner

5,299
3
24
37

37

votes

4 answers

Can someone explain what exactly is accomplished by generation of DH parameters?

I'm setting up a node.js server: https.createServer({ ... ciphers: 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH', honorCipherOrder: true }, app).listen(443); This is a able to achieve a SSLLabs A rating, which…

tls aes openssl rc4 diffie-hellman

asked Jun 30 '13 at 04:47

Steven Lu

977
2
12
13

29

votes

3 answers

Are there any known vulnerabilities in PPTP VPNs when configured properly?

PPTP is the only VPN protocol supported by some devices (for example, the Asus RT-AC66U WiFi router). If PPTP is configured to only use the most secure options, does its use present any security vulnerabilities? The most secure configuration of PPTP…

encryption vpn sha rc4 pptp

asked Nov 15 '13 at 00:11

user34241

293
1
3
4

27

votes

1 answer

How to describe RC4 'bias' to non-tech people

I'm looking for the 'plain English' version of 'bias' as used in the context of the RC4 weakness. I know that RC4 generates a string of psuedorandom bits over, for instance, http(s) traffic. If you encrypt mostly the same data with this, there is…

rc4

asked Jan 12 '15 at 16:40

spoorlezer

563
5
10

18

votes

4 answers

Remove RC4 from SSL/TLS ciphers in Chromium

Recently I started to live without RC4 within my Firefox session. Discussion about it can be found here. While it is quite easy in Firefox (Enter about:config and then rc4), I found no possibility to do this in Chromium. So is it possible to disable…

tls web-browser chrome rc4

asked Jul 05 '13 at 22:12

qbi

1,601
2
14
27

15

votes

3 answers

Should I worry if my credit card payment processor's server allows only weak SSL cipher suites?

I tested their server using https://www.ssllabs.com/ssltest/ and, apart from the disappointing "B" rating (it handles financial transactions, after all), the server only allows the following two RC4 cipher suites, both of which are considered…

tls credit-card cipher-selection rc4 payment-gateway

asked Feb 21 '15 at 20:11

Gabriel S.

283
1
7

10

votes

2 answers

RC4 bias protection with padding in TLS

On the answer to my previous question about RC4 vulnerabilities in TLS, Thomas Pornin gave a great answer, in which he said: One way to "fix" RC4, which has been suggested many times, is to drop the first 256 (or 512 or 1536 or whatever) bytes of…

tls web-browser rc4

asked Mar 13 '13 at 08:37

Yoav Aner

5,299
3
24
37

8

votes

1 answer

What to do when Google disables SSLv3 and RC4?

I've read this article from Google's Online Security Blog, and it says that Google will disable support for SSLv3 and RC4. Here's the reason: SSLv3 has been obsolete for over 16 years and is so full of known problems that the IETF has decided…

tls certificates google rc4

asked Sep 19 '15 at 16:12

Jonathan Solorzano

183
4

7

votes

2 answers

Implications of having a service account in AD use RC4 rather than AES for Kerberos?

Bear with me, I know this is sloppy, but here is the back story: We have a partner that uses Jira and is using spnego with a custom auth back-end that expects certain group membership in the token. Assuming the presented token meets the…

aes active-directory kerberos rc4

asked Jan 17 '13 at 02:36

MDMarra

325
3
13

6

votes

1 answer

Prevent BEAST attack without RC4 cipher suites

It is common practice to prevent the BEAST attack using the following ciphers in Apache SSL configuration: SSLCipherSuite RC4-SHA:HIGH:!ADH Unfortunately, RC4 has been found to be flawed and it is now recommended to avoid its use. From a Nessus…

encryption tls beast rc4

asked Oct 31 '14 at 05:53

Michael

1,457
1
18
36

6

votes

1 answer

How does DHE-RSA-AES256-SHA compare to RC4 as the Cipher for SSL?

I read a lot of issue [1] currently stating that RC4 is broken and is at risk. I just checked my web server (nginx) and it is using the default settings, which is DHE-RSA-AES256-SHA How does this Cipher compare to the RC4? Is it slower (I think…

tls web-browser http rc4

asked Mar 22 '13 at 09:27

Howard

273
1
2
6

6

votes

1 answer

Disable RC4 ciphers best practice

To be compliant with security best practices, we have a requirement to disable RC4 ciphers. I have investigated a way to achieve this and, found that I can disable it by editing the registry…

rc4 ciphers

asked Sep 09 '16 at 21:11

kimo pryvt

469
4
6
12

5

votes

1 answer

Is CVE-2013-2566 a practical attack against RC4 or still conceptual?

Is CVE-2013-2566 a practical attack against RC4 or still conceptual and does it only apply to WPA/TKIP?

tls attacks cipher-selection rc4

asked Jun 11 '15 at 23:02

user53029

2,657
5
24
35

5

votes

3 answers

Disadvantages of disabling RC4 in SSL/TLS

Other than requiring more server resources, are there any disadvantages of disabling RC4 from being using by an Apache webserver? My primary concern is preventing access from older browsers.

tls openssl apache rc4

asked May 18 '15 at 12:49

user1032531

313
2
3
11

5

votes

3 answers

What is the impact of removing TLS_RSA_WITH_RC4_128_SHA from my server's cipher suite?

I run a website that supports many clients via webservices. I'm setting up some new certificates and load balancers and when doing ssllabs's server test, it's flagging all my ciphers as OK except TLS_RSA_WITH_RC4_128_SHA. What would be the impact…

tls rc4

asked May 02 '15 at 03:25

Bill Brasky

153
1
1
4

Questions tagged [rc4]