HTTPS is NOT broken (RC4 is)

18 Mar

Here we go again:

The answer is firmly: NO.

What the articles really mean is

HTTPS using RC4 is weak, but we have known that for years. Some research has found a particular good way of breaking RC4, so it is worse than ever. Please use a widely available stronger symmetric algorithm.

But I guess that does not make a good headline, so I guess we have to live with the hype.

One Response to “HTTPS is NOT broken (RC4 is)”

  1. Dave Walker April 27, 2013 at 19:36 #

    You’re right, of course; it must have been a slow news day.

    Cryptographers are naturally a very conservative lot, and RC4 has had warning bells rung over its use since (um…) around 2005, when Ron Rivest announced that, given a snippet of <200 bytes from an RC4 stream, he could confidently identify it as being RC4. This makes it distinguishable from whitenoise, even without getting to choose the plaintext, which means it fails one of the important strength-checks of a Feistel cipher – and its fate should have been sealed right around then. Like many other things, though, it takes bits of the world a while to catch on…


Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: