[Twisted-Python] [Twisted] #6663: Allow CertificateOptions to set acceptable SSL ciphers
Hynek Schlawack
hs at ox.cx
Fri Aug 16 07:14:03 MDT 2013
please disregard this mail I mixed up the behavior of roundup and trac.
feel free to comment on ticket #6663 though.
Am 16.08.2013 um 08:19 schrieb Hynek Schlawack <hs at ox.cx>:
>>> 1. That there is a consent on high quality ciphers: for example right
>> now there are roughly two fractions who agree what is the lesser evil: RC4
>> or AES-CBC.
>>
>> No, it is now clear that RC4 is the greater evil. The browsers have
>> deployed defenses against the "BEAST" attack on CBC (the defense is "1/n-1
>> record splitting"), and BEAST is an active attack which can only be used
>> in some cases and which tends to leave evidence of the attempt. On the
>> other hand, RC4 is apparently vulnerable to passive attacks, which are
>> more serious.
>>
>> (If I'm wrong and there actually *is* a faction who still prefers RC4
>> despite the recent results against it, I'd like to read about it!)
>
> I’m not going to argue ciphers with you because you’re obviously right and I already wrote elsewhere that I’m going to full defer to your judgement here.
>
> To explain where the above came from and eg. Qualys is still somewhat for RC4 as a fallback cipher: to the best of my knowledge[1], Apple’s desktop Safari browser ''still'' hasn’t activated record splitting in its latest version and is thus still vulnerable to BEAST (and doesn’t support TLS>1). But that’s probably a corner case enough to ignore in the defaults and will hopefully resolve itself in Mavericks.
>
> [1]: Mostly from https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what and I’m not aware of any changes.
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/twisted-python/attachments/20130816/94effad8/attachment.sig>
More information about the Twisted-Python
mailing list