>>> It would be good to see them abandon RC4 of course, and soon.
>> In favour of what, exactly? We're out of good ciphersuites.
> I thought AES was okay for TLS 1.2? Isn't the issue simply that
> Firefox etc. still use TLS 1.0? Note that this was a TLS 1.2
> connection.

Firefox has added TLS 1.2 two or three weeks ago, and TLS 1.2 does
indeed protect against BEAST, CRIME, Lucky 13 (but not against BREACH, I

However, my guess would be that too many Apaches out there are linked to
older openssl versions that do not yet support TLS 1.1 or TLS 1.2.

I have found this a good write-up:


The cryptography mailing list

Reply via email to