I've noticed a few of my favorite websites failing with some odd error from Firefox.

The Firefox error message is a bit misleading. It actually has nothing to do with the website supporting SSL 3.0 but the advanced info is spot on. The error "ssl_error_no_cypher_overlap" means that the client didn't offer any ciphers that the server also supports. Generally when I see this I assume that the server has been setup poorly and only supports unsafe ciphers. In this case the website only supports the RC4 cipher. I wondered why I was starting to see a reversal of removing RC4 from so many websites recently (especially since RC4 is very weak and is on the way out). Apparently these websites all use the F5 load balancer that had a bad implementation of the TLS 1.0 standard causing a POODLE-like vulnerability.

Stepping back for a moment, back in October the POODLE vulnerability hit the streets and a mass exodus from SSL 3.0 happened around the world. I was happy to see so many people running away from the broken cryptographic protocol and very happy to see the big push to implementing the latest version of TLS, TLS 1.2. So with SSL 3.0 out of the way and the POODLE vulnerability being squelched why are we seeing problems in TLS 1.0 now?

Well, simply put, F5 load balancers don't implement TLS 1.0 correctly. The problem with SSL 3.0 is that the padding format isn't checked. Apparently in the F5 devices it's still a problem in TLS 1.0. And while the company did offer up patches to fix the issue, some really bad advice has been circulating the Internetz telling people to only support RC4, again. Sigh.

When RC4 finally dies a fiery death I'll likely throw a party. I'm sure I won't be the only one...

Kicking RC4 out the door

I've been arguing with my web hosting company about their use of RC4. Like many enterprise networks they aren't consistent across all their servers with respect to available ciphers and such. It appears that all customer servers support TLS_RSA_WITH_CAMELLIA_256_CBC_SHA and TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, in addition to TLS_RSA_WITH_RC4_128_SHA (although the latter is preferred …

Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010

Just ran across this article discussing how horrible the cipher preference list is in Android. That's a lot of bad crypto on the streets right now.

Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010

Sparks's Journal

Other articles

Kicking RC4 out the door

Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010