RC4 Vulnerability

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext (e.g. session cookies).

Airlock offers RC4 based ciphers to clients if SSL/TLS is requested but not with the highest priority. It's well known that RC4 is vulnerable against various forms of attacks based on statistical analysis. On the other hand RC4 is a stream cipher and therefore not vulnerable to CBC related attacks on TLS 1.0 like "BEAST" or "Lucky 13" which we rate as a higher risk than CVE-2013-2566. Airlock will therefore actually not change the default list of cipher suites in Apache.