SSL and secure data transfer are wounded, but not dying quite yet if you use an elderly encryption protocol called RC4 or ARC4. Current AES is suggested as the preferred way of encrypting data transfers, but the BEAST (Browser Exploit Against SSL/TLS) attack is capable of defeating AES encryption. Unfortunately there are attack methods which are able to defeat RC4, specifically as it is implemented for WPA and WES in wireless networks. Google informed The Register that they have been using RC4, although clients that attempt to connect which don’t support that encryption method are offered the vulnerable AES method. Google also pointed out the latest developer version of Chrome protects against the BEAST attack but don’t mention when the main version of Chrome will protect users.
"The recommendations published Friday by two-factor authentication service PhoneFactor, suggest websites use the RC4 cipher to encrypt SSL traffic instead of newer, and ironically cryptographically stronger, algorithms such as AES. Google webservers are already configured to favor RC4, according to this analysis tool from security firm Qualys. A Google spokesman says the company has used those settings "for years."
Here is some more Tech News from around the web:
- Rick Bergman leaving AMD has no up side @ SemiAccurate
- MS denies secure boot will exclude Linux @ The Register
- Avast buys Android thiefbuster developer @ The Register
- Ubuntu 11.04 vs. Ubuntu 11.10 Benchmarks @ Phoronix
- A case for better keyboards @ The Tech Report
- ThinkComputers and Thermaltake YouTube Contest
- Win a Samsung Galaxy SII @ t-break