[Pkg-openssl-devel] Bug#728504: Bug#728504: libssl1.0.0: please disable RC4 by default
Kurt Roeckx
kurt at roeckx.be
Sat Nov 2 00:13:02 UTC 2013
On Fri, Nov 01, 2013 at 11:57:26PM +0000, brian m. carlson wrote:
> Package: openssl
> Version: 1.0.1e-4
> Severity: wishlist
>
> RC4 is insecure. It has significant biases in its output, even if you
> drop the beginning of the keystream. It is considered insecure when
> used in WEP, in WPA, in TLS, and as a PRNG. Nobody should still be
> using it, certainly not by default. Please disable it by default in TLS
> negotiations and wherever else a default list of ciphers is provided.
I don't think this is currently doable. The problem is that
internet explorer on XP only has 2 ciphers you would want to
use and that's RC4 or 3DES. And people seem to prefer using
RC4 over 3DES to talk to it.
Anyway, I wouldn't call RC4 insecure, but it probably is
problematic. It's currently probably also the most commonly used
cipher.
Anyway I really hope nobody uses the cipher list of DEFAULT since
it includes 40 bit ciphers. But maybe some applications do.
Kurt
More information about the Pkg-openssl-devel
mailing list