0

Fortify.net is a service that displays what's the currently encryption key used by your browser in a https connection. If I browse this site with Chrome 4.1.249.1042 in WinXp SP3 the key used is

RC4 cipher, 128-bit key

This encryption is weak, and it's the one used by old browsers like IE6.
Chrome works fine on Fedora9 and it uses

AES cipher, 256-bit key

as more modern browsers do (i.e.Firefox)

I consider this a security issue. I'm considering to switch back to Firefox in Windows.
Do you know if it's possible to change the default encryption key in Chrome?

Improve this question

1 Answer 1

Reset to default
1

I consider this a security issue

Why?

According to the very site you are linking to :

This is a high-grade encryption connection, regarded by most experts as being suitable for sending or receiving even the most sensitive or valuable information across a network.

Also, on my xp machine, both Opera 10 and IE 8 (neither of which can be considered old browers) show RC4 cipher, 128-bit key

On windows 7

 Chrome (5.0.366.2) - AES cipher, 128-bit key
 IE8                - AES cipher, 128-bit key
 FireFox            - AES cipher, 256-bit key

Firefox on xp also shows AES cipher, 256-bit key.

Do you know if it's possible to change the default encryption key in Chrome?

I think Chrome, Opera and IE8 all use the encryption built into the Operating system, whereas Firefox wrote their own. (I could be wrong, as this is a mixture of rumour and guesswork). So it might be a case of finding out if you can update your encryption level in your operating system.

Improve this answer
2
  • I consider it a security issue because as I read on Wikipedia RC4 128-bit can be hacked and because AES-256 is considered more secure than RC4. Maybe I'm wrong. .. btw I consider IE9 old already
    – al nik
    Commented Apr 2, 2010 at 12:33
  • I'm no security expert, but I took the articles I read on RC4/AES to mean that some implementations of RC4 (eg WEP) were very bad and were insecure in real-life, but other implementations are 'secure enough'. Given the scramble to replace WEP when it was discovered that it could be cracked, I would have expected Microsoft to have been forced (by big corporations still using XP) to update the encryption in XP if it could be exploited in real-life. There was talk a while back about chrome switching to use the firefox encryption libraries, so it is possible things might change.
    – sgmoore
    Commented Apr 2, 2010 at 13:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .