YouTube, now with less RC4

After everybody said not to use RC4 any more, Google finally enabled one additional cipher on Google video servers: TLS_RSA_WITH_AES_128_GCM_SHA256.Unfortunately, this cipher is not supported either by Firefox 30 nor by Internet Explorer on Windows 8.1 or earlier.

Users of Firefox will have to wait for the bug 1029179 to be fixed.

This cipher is though supported by Google Chrome and Chromium, so if you’re a user of those browsers, you can finally disable RC4 for everyday browsing. You can do it either by creating a wrapper script, or modifying the shortcut you use to run those browsers to have one additional option:

chrome --cipher-suite-blacklist=0x0003,0x0004,0x0005,0x0017,0x0018,0x0020,0x0024,0x0028,0x002B,0x0066,0x008A,0x008E,0x0092,0xC002,0xC007,0xC00C,0xC011,0xC016,0xC033

This will disable following cipher suites:

  • 0x0003 – TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • 0x0004 – TLS_RSA_WITH_RC4_128_MD5
  • 0x0005 – TLS_RSA_WITH_RC4_128_SHA
  • 0x0017 – TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
  • 0x0018 – TLS_DH_anon_WITH_RC4_128_MD5
  • 0x0020 – TLS_KRB5_WITH_RC4_128_SHA
  • 0x0024 – TLS_KRB5_WITH_RC4_128_MD5
  • 0x0028 – TLS_KRB5_EXPORT_WITH_RC4_40_SHA
  • 0x002B – TLS_KRB5_EXPORT_WITH_RC4_40_MD5
  • 0x0066 – SSL_DHE_DSS_WITH_RC4_128_SHA
  • 0x008A – TLS_PSK_WITH_RC4_128_SHA
  • 0x008E – TLS_DHE_PSK_WITH_RC4_128_SHA
  • 0x0092 – TLS_RSA_PSK_WITH_RC4_128_SHA
  • 0xC002 – TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  • 0xC007 – TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • 0xC00C – TLS_ECDH_RSA_WITH_RC4_128_SHA
  • 0xC011 – TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • 0xC016 – TLS_ECDH_anon_WITH_RC4_128_SHA
  • 0xC033 – TLS_ECDHE_PSK_WITH_RC4_128_SHA

While setting all of them is not necessary, as some of them are not supported by the currently used NSS, it may change in the future, so… better safe then sorry.

After starting browser with this new settings, head over to a test site run by Leibniz University Hannover, or the other one run by Qualys and double check if no RC4 ciphers are offered by your browser.

Advertisements

3 comments

  1. As of 6/30 Firefox bug 1029179 has been marked “RESOLVED INVALID”. Looks like Mozilla prefers Firefox users be SOL waiting for Google to evolve.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s