Bug#654764: Mitigate B.E.A.S.T attack

[Mathieu Parent <math.parent@gmail.com>]

severity 654764 wishlist
tags 654764 +wontfix
thanks

2012/1/6 Stefan Fritsch <sf@sfritsch.de>:
> On Thursday 05 January 2012, Mathieu Parent wrote:
>> The BEAST vulnerability [1] "can be prevented by removing all CBC
>> ciphers from your list of allowed ciphers—leaving only the RC4
>> cipher".
>
> I don't think we want to do that. The normal RC4 algorithms (i.e. not
> ECDHE-*-RC4*) don't provide perfect forward secrecy. So you would
> improve the security in one regard (mitigate BEAST vulnerability even
> if the client does not implement a work-around) but worsen it in
> another regard.
>
> AFAIK, NSS, which is used by Chrome and Firefox, has had a BEAST
> workaround for some time now. So, the suggested change would worsen
> the security for a significant part of the user base.

OK. I didn't know that. I have marked the bug as wontfix. Feel free to close it.

-- 
Mathieu Parent