Opened 4 years ago

Last modified 3 years ago

#1427 infoneeded task

disable RC4

Reported by: killyourtv Owned by:
Priority: major Milestone: eventually
Component: www/i2p Version:
Keywords: security Cc:
Parent Tickets:


RC4 is considered to be broken and its use is generally discouraged.

Unless there are good reasons to continue supporting RC4 it should probably be disabled on all public facing services.

Subtickets (add)

Change History (8)

comment:2 Changed 4 years ago by zzz

Which sites are affected?

comment:3 Changed 4 years ago by killyourtv

I'm rescanning now and will provide more info soon. is one of them along with a few of the reseed servers.

comment:4 Changed 4 years ago by killyourtv

RC4-enabled reseed

  • (also vuln to POODLE)
  • (down, see #1422)

RC4-enabled project sites

Last edited 4 years ago by killyourtv (previous) (diff)

comment:5 Changed 4 years ago by killyourtv

Our attacks enhance the statistical techniques used in the previous attacks and exploit specific features of the password setting to produce attacks that are much closer to being practical. We report on extensive simulations that illustrate this. We obtain good success rates with 226 encryptions of the password. By contrast, the previous generation of attacks required around 234 encryptions to recover an HTTP session cookie.

comment:6 Changed 4 years ago by str4d

  • Keywords security added
  • Status changed from new to open

comment:7 Changed 4 years ago by str4d

  • Milestone set to eventually

comment:8 Changed 3 years ago by zzz

  • Status changed from open to infoneeded

@OP please rescan and either close or send info to the appropriate people for immediate action... backup for reseed, ech for projekt, and welt? for syndie

this ticket isn't enough to make things happen, need to poke the people responsible

Note: See TracTickets for help on using tickets.