With all the news over the last year about secure websites falling victim to serious encryption vulnerabilities, I sit here in disbelief that one very critical vulnerability has seemingly slipped through the cracks. I’m speaking of the RC4 encryption cipher.
ATTENTION WEB SERVER ADMINISTRATORS: I’M TALKING TO YOU!!
It’s bad enough so many websites are still including RC4 in their accepted cipher list. However, a great number are using RC4 exclusively or list RC4 as their preferred cipher and an increasing number of users are no longer able to access them. Awareness of the issues with RC4 is slow to gain traction and many are unaware of security guidelines (RFC7465 and CVE-2015-2808) that now prohibit the use of RC4. Enterprise Intrusion Prevention Systems are starting to actively block RC4 sites and the latest update to Internet Explorer on Windows 8.1 disables RC4 completely.
Working for a company that operates under strict compliance guidelines, we are being required to disable RC4 on all servers AND workstations; we cannot do that when so many sites critical to our daily operation are still RC4. We need a wide-spread public awareness campaign, like we had with Heartbleed and Poodle, to get web admins to stop using this vulnerability.
Do you know if your secure website is configured correctly? Use this free tool from Qualys for an in-depth analysis: https://www.ssllabs.com/ssltest
For details how to securely configure your OpenSSL server: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers
Great FREE tool to securely configure your Windows server: https://www.nartac.com/Products/IISCrypto