I’ve been seeing increasing concern about the new SSL vulnerability - ‘The Beast’
eg: “World takes notice as SSL-chewing BEAST is unleashed”
The current suggestion seems to be to use the RC4 cipher.:
“By Monday, both Microsoft and Mozilla acknowledged that their wares were also affected. An advisory issued by Redmond recommended that websites follow Google’s lead to favor the RC4 cipher”
Is that do-able on a CentOS + VirtualMin setup? If so, how? (And is it indeed a good idea!)
I’m not aware of a formal fix for this issue on Apache yet… and from the sound of it, your desktop has to already be compromised in order for this vulnerability to work. That is, the attacker has to be able to run a command on your computer.
It sounds like the risk of this particular issue is low, and fixes for the various browsers and web servers is forthcoming.
That said, Apache allows you to set the cipher to use.
I don’t know enough about all this to make a recommendation – but if you’re saying that you wish to use the RC4 algorithm, you can tell Apache to do that by using the SSLCipherSuite parameter. You can set that in /etc/httpd/conf.d/ssl.conf.
Documentation on that parameter is here:
Personally, based on how difficult it sounds to take advantage of this vulnerability, and with them saying this isn’t floating around in the wild – I’d probably suggest just waiting for formal fixes to become available.
But, if you don’t want to wait, you can do what you’re after with the above
Thanks for the info. Yes, I think I’ll take your advice and hold on for now.