AnsweredAssumed Answered

BEAST vulnerability detection

Question asked by steve on Oct 3, 2011
Latest reply on Oct 22, 2014 by Ivan Ristic

I just noticed that a new v1.0.87 has been deployed and displays a "BEAST attack: vulnerable".

 

Based on what criteria are you concluding that a server is indeed vulnerable: does a lacking RC4 preferred cipher automatically mean that you consider a server prone to a BEAST attack?

 

On a test server, I don't include RC4 (whether preferred or optional), but instead opted to activate empty fragments for TLS 1.0 and switched to OpenSSL 1.0.1-stable to get TLS 1.1.

 

As far as I tested, only IE6 on Windows XP can't handle empty fragments. All other IE versions, whether on XP or 7 are able to connect just fine. Same for recent versions of Firefox, Chrome and Opera.

Outcomes