Still hope for SSL, the web ain't dead yet

Subject: General Tech | September 26, 2011 - 01:20 PM |
Tagged: fud, security, SSL

SSL and secure data transfer are wounded, but not dying quite yet if you use an elderly encryption protocol called RC4 or ARC4.  Current AES is suggested as the preferred way of encrypting data transfers, but the BEAST (Browser Exploit Against SSL/TLS) attack is capable of defeating AES encryption.  Unfortunately there are attack methods which are able to defeat RC4, specifically as it is implemented for WPA and WES in wireless networks.  Google informed The Register that they have been using RC4, although clients that attempt to connect which don't support that encryption method are offered the vulnerable AES method.  Google also pointed out the latest developer version of Chrome protects against the BEAST attack but don't mention when the main version of Chrome will protect users.

View Full Size

"The recommendations published Friday by two-factor authentication service PhoneFactor, suggest websites use the RC4 cipher to encrypt SSL traffic instead of newer, and ironically cryptographically stronger, algorithms such as AES. Google webservers are already configured to favor RC4, according to this analysis tool from security firm Qualys. A Google spokesman says the company has used those settings "for years."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register
No comments posted yet.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.