7

Now that the BEAST is public knowledge, TLS 1.0 is NOT safe to use (nor is SSL 3.0). I have seen reports that the RC4 cipher is unaffected (and is widely supported). Is that true?

I know that TLS 1.1 is immune. But out of the 1,000,000 most popular SSL/TLS enabled websites, only a few (221) support TLS 1.1 or higher.

The exploit is restricted to browsers because it requires JavaScript or Browser Plugins via MITM. PayPal.com is vulnerable, as of this writing.

unixman83
  • 1,932
  • 8
  • 25
  • 33
  • 1
    RC4 may be safe from *that* exploit. But last I heard RC4 had many problems of its own. Also, I cannot find anywhere that says that BEAST is "public knowledge". Its existence is, but that is very different than the exploit itself being public knowledge. Granted we will need a solution soon, but it sounds like TLS 1.1 and 1.2 are not vulnerable to the BEAST and seem like a much better solution than using RC4. Disclaimer, I am no expert, just piping in cause I am curious. – Jason Dean Sep 24 '11 at 03:53
  • I didn't down vote. Just so you know. I appreciated your answer. Did you delete it? Here is an interesting post I found about BEAST and Chrome. In the article it points out that Google's servers have preferred RC4 for a long time. I found that encouraging. – Jason Dean Sep 24 '11 at 04:56
  • Yep, RC4 wasn't bad, WEP was (which uses RC4). So much bad is from the flawed designers ideas about what it 'safe' with a particular cipher. Hopefully TLS 1.2 gets it right. – unixman83 Sep 24 '11 at 18:22

1 Answers1

5

Correct; RC4 is a stream cipher, and is not affected.

The flaw is in CBC message construction, so the ciphers using CBC (there's a bunch, but AES and 3DES are the most popular) are all affected.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251