RC4 No Longer Secure — Check your HTTPS site now
At Servertastic we make the ability to purchase an SSL Certificate as simple as we possibly can. But as an installer you have many things you need to consider to ensure your site uses the best encryption available to secure the HTTPS site.
When connecting to a website using HTTPS there are several encryption algorithms that can be used. The client and server negotiate with each other to find one they both mutually support.
As computing power increases these algorithms come under regular attack and eventually become too weak to be considered secure. This is the case with RC4.
Google Chrome already highlights to when a site is using RC4 by stating Your connection to [domain] is encrypted with obsolete cryptography.
Recently security researches have demonstrated a plausible attack against a HTTPS website that utilised RC4. They were able to monitor traffic until they had enough data to break the encryption. This took a mere 52 hours.
[caption id=”attachment_2843" align=”aligncenter” width=”640"]
via RC4 NOMORE[/caption]
The demonstration allowed the attackers to access decrypted cookie data for the website. However the attack was not limited to just cookies. Any system using RC4 encryption is vulnerable including WPA-TKIP Wifi networks.
Is my website vulnerable?
To check if your site has RC4 enabled we recommend using SSL Labs Server Test. This will highlight any issues with your HTTPS implementation.
How to disable RC4
For Apache configurations you should add !RC4 to the SSLCipherSuite directive. For Windows users please refer to the following article: Microsoft security advisory: Update for disabling RC4
