PayPal Community

ZapNZs · ‎Mar-21-2015

My connection with Paypal is using RC4_128 as the preferred cipher with TLS 1.2. I was under the impression that RC4 was quite vulnerable and that AES-GCM is strongly preferred with TLS 1.2 as a more secure alternative? Am I incorrect? How much of a concern is this? thanks!

starlitetech · ‎Mar-27-2015

Today, only TLS 1.2 with GCM suites offer fully robust security. All other suites suffer from one problem or another (e.g, RC4, Lucky 13, BEAST), but most are difficult to exploit in practice. Because GCM suites are not yet widely supported, most communication today is carried out using one of the slightly flawed cipher suites. It is not possible to do better if you're running a public web site.

The one choice you can make today is whether to prioritize RC4 in most cases. If you do, you will be safe against the BEAST attack, but vulnerable to the RC4 attacks. On the other hand, if you remove RC4, you will be vulnerable against BEAST, but the risk is quite small. Given that both issues are relatively small, the choice isn't clear.

However, the trend is clear. Over time, RC4 attacks are going to get better, and the number of users vulnerable to the BEAST attack is going to get smaller.

ZapNZs · ‎Mar-27-2015

I'm no expert here so forgive me if I do not make sense. As I understand it and as you noted, TLS 1.2 with AES GCM is really the tour-de-force of a secure connection that best mitigates the chance of victimization (but enterprise clients are still progressively adopting it.) Maybe 12-18 months back I recall reading Microsoft urging enterprise clients to work in the direction of phasing out RC4, and immediately make RC4 at the bottom at the list of preferred ciphers due to fears of growing ease in exploitation (many of which were NOT necessarily instituted in practice but more 'theoretical targeting'.

However, based on what you showed me, I am guessing this was said when CBC was assumed to be more secure than it is today (as was TLS 1.0/1.1).

Some of Paypal's servers support GCM and those servers make AES GCM prioritized over RC4. However, from what I can tell not all PayPal servers support GCM. Based on what you are saying, does that mean Paypal is likely prioritizing RC4 over CBC on these servers given the recent demonstrations of how CBC is also vulnerable?

If that is the case, hopefully they are moving in the direction of GCM. Whether Paypal likes it or not, they are a huge target (and therefore we are too 😞 ) While it's impossible to quantify, based on what you are saying it sounds like the risk here is still relatively low?

Again, I'm not an expert on this but rather a guy who does research for a living and had a financial nightmare unfold because I never gave much thought to secure connections. One website, some obsolete cryptography, and the entering of the financial data you use to make purchases, **bleep** on earth broke. (I consider myself partly at fault due to my ignorance of assuming that a secure connection was a secure connection.)

https://www.ssllabs.com/ssltest/analyze.html?d=paypal.com&s=23.203.228.56

johnnylingo · ‎Jul-05-2015

I wanted to point out that since 2012, PayPal web transactions actually go via Akamai. So actually, you should be asking why Akamai is doing it. Like starlitetech says, it goes back to BEAST, but since 2013 it's been apparent that the risk of BEAST in reality is very small but that RC4, MD5, etc needed to be phased out. We have Mr. Snowden to thank for awareness on the latter.

As for AES-GCM, supporting it is not quite as simple as it sounds. Sites dealing with thousands of connections each second need to support all cryptography functions in hardware, and I can tell you that older Citrix Netscalers won't do AES-GCM and certain F5 BigIP models won't do the SHA-2 hashing that AES-GCM suites require. So, perhaps the hold-up is a hardware upgrade on Akamai's end which would have a hefty price tag.

PayPal Community

Why is PayPal still preferring a RC4 cipher with TLS 1.2? Is RC4 with TLS secure?

Haven't Found your Answer?