|Title||RC4 ciphersuites in SSL and TLS vulnerable|
|Date||13th of March 2013|
|Affects||all SSL libraries including PolarSSL|
|Not affected||AES-GCM-based or CBC-based ciphersuites. Servers and clients that only communicate over a private network|
|Impact||Possible (partial) recovery of plaintext|
|Solution||Disable RC4-based ciphersuites|
|Credits||Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt|
On the Security of RC4 in TLS describes an attack that applies to implementations of RC4-mode ciphersuites in all version of SSL and TLS.
The attack is based on the fact that statistical flaws in the keystream generated by the RC4 algorithm become apparent in TLS ciphertexts when the same plaintext is repeatedly encrypted at a fixed location across many TLS sessions.
When a RC4-based ciphersuite is used and an adversary has the ability to inject packets at will into the connection between the client and the server, the adversary can potentially use statistical analysis to retrieve plaintext from ciphertext messages.
As the flaw is inherent to the use of RC4 ciphersuites, the only resolution is to disable the use of RC4-based ciphersuites within PolarSSL.
At compile-time this can be achieved by removing the define for POLARSSL_ARC4_C from include/polarssl/config.h.
An alternative is to remove the ciphersuites from the list of ciphersuites provided to ssl_set_ciphersuites().
We strongly advise you to consider if your application needs RC4-dependent ciphersuites and disable them if you have the option. No real action is needed if an adversary cannot gain access to (part of) the network and thus cannot inject packets between your servers and clients.