BEAST Attacks and RC4 Problems
SSL is currently afflicted with several security problems. The first one is the so called "BEAST" attack. A problem known for years but only lately was there an exploit found.
This "BEAST" attack is mainly applied on the client side (aka. the Web Browser) and all major vendors have fixed this already except Apple (Safari).
The only approach to fix this on the server side (i.e. the PRTG Web Server) is to:
- either use TLS 1.1+
- or to drastically reduce the offered ciphers to RC4 based ones.
Due to third party components used by PRTG we currently can not support TLS 1.1+.
So we have adjusted the "supported cipher list" to support only "SSLv3 128 bits RC4-SHA" in version 13.x.5 or later (available tomorrow morning in the Canary channel). This cipher is supported by all major web browsers.
Unfortunately the RC4 cipher is afflicted with problems too, but there are no practical exploits yet. So it is safe to use - for now. We will monitor the situation and follow the "best practices" recommended by the security experts.
More on the BEAST attack:
https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
More on the RC4 weakness:
https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
Add comment