: K-Meleon Forum
General discussion about K-Meleon.
[quote=gordon451] [quote=JamesD] If I then mark "false" all of the crypto items in configuration except the RC4 items, would I not have TLS 1.0 with non CBC? Is that not the goal?[/quote] We-e-e-lll... [quote=Wikipedia]At http://en.wikipedia.org/wiki/RC4#Security : However, many applications that use RC4 simply concatenate key and nonce; RC4's weak key schedule then gives rise to a variety of serious problems. Because RC4 is a stream cipher, it is more malleable than common block ciphers. If not used together with a strong message authentication code (MAC), then encryption is vulnerable to a bit-flipping attack.[/quote] Have a Cap'n Cook at [url=http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps]Fluhrer, Mantin and Shamir, SAC 2001[/url]. In short, the encryption cypher is not the problem. The problem is the encryption method -- TLS 1.0 -- and the reluctance of web server operators to upgrade their software. We users are always urged to upgrade "for security", why can't they do the same? The solution is not to default to a weak cypher which resists only the most recent attack, but to compel upgrades to a strong encryption method which is shown to be resistant to many attacks -- TLS 1.1 and 1.2. BTW, Opera 10+ implements TLS 1.2 natively. Of course, they do have other problems... [EDIT] @JamesD: I had a look at Fortify.net/sslcheck.html... I had disabled half the cypers it showed me :O [end EDIT] Gordon.[/quote]
K-Meleon forum is powered by