We had the BEAST attack and it was said, “Prioritize RC4 cipher suite.”

We had the Lucky Thirteen attack and it was said again, “Prioritize RC4.”

We had the AlFBPPS attack and it was said, “RC4 is old and crummy. CBC-mode would be better, if only it wasn’t already attacked by BEAST and Lucky Thirteen. Everyone should use TLS 1.2.”

RC4, CBC, what the …?

We need to support TLS 1.2? Well, we don’t. Although it was published in 2008, browsers and servers are still readily deployed with TLS 1.2 not enabled.

Where were the guys to say, “Hey, we really don’t want to prefer outdated RC4.” Where were the guys to say, “Hey, developers, why don’t your systems support TLS 1.2, by default, out of box?”

Why are people thinking up improvements, getting them approved in standards, and then nobody mandating that they be implemented and deployed?

I wish I knew.

As we move forward, Ivan Ristić has some great recommendations for each stakeholder to consider implementing.

Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.