undefined | Better HN

0 pointsyuhong11y ago0 comments

Yea, I hope PCI DSS clarifies this matter soon.

0 comments

For a long time I thought PCI DSS/NVD was the culprit for all RC4 on payment sites, but luckily this was solved, I see they updated the score on 03/12/2015: https://code.google.com/p/chromium/issues/detail?id=375342#c... https://code.google.com/p/chromium/issues/detail?id=375342#c...

I usually complain when some site uses RC4 and I can't access it, but unlike the OP I don't do that via twitter (one reason is that I don't even have an account there).

I've sent 2 emails regarding the use of ONLY RC4 on payment sites in my country, and although such emails aren't always acknowledged they did get fixed after I CC-ed their PCI auditors [1] :)

[1] which you can find publicly on Visa's site at 'PCI DSS validated Member Agent Weblisting' http://www.visaeurope.com/receiving-payments/security/downlo...

AlyssaRowan11y ago

It was, part of it. RC4 had a CVE score below 4 (which many interpreted as an issue they could argue around, i.e. "we need to support Windows XP!"), but BEAST had a score above 4 (auto-fail). And what was the (horrible!) recommendation people got when asking how to mitigate BEAST but still let Windows XP connect? That's right: RC4.

That excuse has gone, on two counts. RC4's now thoroughly toast, and Windows XP's unsupported - and now finds itself without any secure ciphers at all.

It's zmap time…

yuhongOP11y ago

Lets hope that the new RC4 attacks that will hit the news in a few weeks will help also.

AlyssaRowan11y ago

Not long now. I think that will mostly depend on whether they give the issues a name and a logo! <g> (Seriously though, that does seems to get people off their arses!)

You might want to get ready to change passwords for sites that have used RC4 in the past. Or, despite as much warning as anyone can give, are inexplicably still using it.

j / k navigate · click thread line to collapse

0 comments

edwintorok11y ago

I usually complain when some site uses RC4 and I can't access it, but unlike the OP I don't do that via twitter (one reason is that I don't even have an account there).

I've sent 2 emails regarding the use of ONLY RC4 on payment sites in my country, and although such emails aren't always acknowledged they did get fixed after I CC-ed their PCI auditors [1] :)

[1] which you can find publicly on Visa's site at 'PCI DSS validated Member Agent Weblisting' http://www.visaeurope.com/receiving-payments/security/downlo...

AlyssaRowan11y ago

That excuse has gone, on two counts. RC4's now thoroughly toast, and Windows XP's unsupported - and now finds itself without any secure ciphers at all.

It's zmap time…

yuhongOP11y ago

Lets hope that the new RC4 attacks that will hit the news in a few weeks will help also.

AlyssaRowan11y ago

Not long now. I think that will mostly depend on whether they give the issues a name and a logo! <g> (Seriously though, that does seems to get people off their arses!)

You might want to get ready to change passwords for sites that have used RC4 in the past. Or, despite as much warning as anyone can give, are inexplicably still using it.

j / k navigate · click thread line to collapse