Update – January, 2015. SSL v3 should be turned off. RC4 is now weak and should not be used anymore, even as a work around to the BEAST attack. LuxSci recommends to use TLS v1.1+ and NIST-recommended ciphers. The BEAST is not really considered a significant vector (even with TLS v1.0) compared to other things, anymore.
Update – April, 2012. openssl v1.0.1 is out and it supports TLS v1.1 and v1.2 which help mitigate this attack. All web sites hosted by LuxSci now use this updated software and are safe from BEAST. LuxSci recommends using a web host which supports TLS v1.1 and v1.2 for secure web connections.
SSL v3 and TLS v1 are subject to a serious exploit, according to a recently published attack mechanism (called BEAST). This sounds foundation-shattering and kind of scary. When people see this, as when we did, the first panicky questions that arise are:
- What is really affected?
- How serious is it?
- What can I do to protect myself?
- How does the BEAST attack actually work?
Read the rest of this post »