On Thursday 05 January 2012, Mathieu Parent wrote: > The BEAST vulnerability [1] "can be prevented by removing all CBC > ciphers from your list of allowed ciphers—leaving only the RC4 > cipher".
I don't think we want to do that. The normal RC4 algorithms (i.e. not ECDHE-*-RC4*) don't provide perfect forward secrecy. So you would improve the security in one regard (mitigate BEAST vulnerability even if the client does not implement a work-around) but worsen it in another regard. AFAIK, NSS, which is used by Chrome and Firefox, has had a BEAST workaround for some time now. So, the suggested change would worsen the security for a significant part of the user base. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org