AnsweredAssumed Answered

if SSL 3.0 is INSECURE, why isn't RC4?

Question asked by Lily Wilson on Mar 12, 2015
Latest reply on Mar 13, 2015 by Lily Wilson

POODLE and the biases in RC4 have the same CVSS score (4.3). all modern clients have mitigations against POODLE (disabling SSL 3.0, disabling CBC cipher suites with SSL 3.0, or anti-POODLE record splitting). there's an RFC prohibiting RC4. firefox and internet explorer have disabled RC4 except as a fallback. there are plans to remove RC4 completely in chrome and firefox, but neither has been implemented yet. there are claims that RC4 can be broken without an active MITM attack. chrome, firefox, internet explorer, and safari are all protected against POODLE, but still vulnerable to attacks against RC4. so why is SSL 3.0 INSECURE, but RC4 only WEAK?

Outcomes