Hi. I wondered about the status of the BEAST attack in Debian, especially: 1) Can I use any cipher suite and still be secure (e.g. use AES and disable RC4; the later which is often claimed to secure things... while there are however sources on the web claiming it would be even more vulnerable than AES)? 2) I know most browsers mitigate it already on their side,.. but I guess just by not selecting CBC ciphers if possible (???)... what however if I only offer such? So question is,.. how can I force it on the server side, to be secure against BEAST. I also found these: http://security.stackexchange.com/questions/17080/is-there-a-way-to-mitigate-beast-without-disabling-aes-completely http://blogs.cisco.com/security/beat-the-beast-with-tls/ which claim openssl fixed the problem already on a protocol level (even for TLS 1.0). So can we verify whether in Debian's openssl that SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is set? Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature