[TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
Alyssa Rowan <akr@akr.io> Sat, 19 April 2014 20:10 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26B181A00A5 for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 13:10:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.003
X-Spam-Level:
X-Spam-Status: No, score=-0.003 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E9wKjovgsuQK for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 13:10:25 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id D83391A0055 for <tls@ietf.org>; Sat, 19 Apr 2014 13:10:24 -0700 (PDT)
Message-ID: <5352D82C.2030302@akr.io>
Date: Sat, 19 Apr 2014 21:10:20 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be> <5352B328.1080006@pobox.com> <20140419175352.GA9090@roeckx.be> <238BBDD5-DDE5-4627-AF4D-BC57DC0E61D7@gmail.com>
In-Reply-To: <238BBDD5-DDE5-4627-AF4D-BC57DC0E61D7@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/eGjta3YnDQgrjpqUmHGfPkdF_1M
Subject: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 20:10:27 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 19/04/2014 20:28, Yoav Nir wrote: > As long as the client is required to support such servers, I guess > we have to live with it. I think the only correct deprecation path to recommend is the one that's on the table right now: the off switch. Warn your users if you have to. But don't negotiate RC4 without a click-through warning. RC4 is either on the brink of being cracked, given the serious known weaknesses pointed out in Section 1 of the draft, or it is already over the brink (if that's the 'cryptanalytic breakthrough' GCHQ were talking about that they got from NSA, and that seems plausible to me, and to several others, including Schneier). If it's on the brink, then when it's cracked, captured traffic can (and will) be retroactively decrypted. If it's over the brink, that's already happening. That window of opportunity was widened by advice given to use RC4-SHA to avoid BEAST, which is why some servers prefer RC4 to AES-128. (That was very bad advice, with 20:20 hindsight.) We need to close that window now. As you've seen in this discussion, there is only one safe way to close that window: disable RC4 completely. Any delay in disabling RC4 leaves that window open for longer, and leaves users subject to a false sense of security about their connections that should be protected by that little 'lock icon'. I don't think we can in good conscience recommend any delay. That's why the draft we have strong consensus on is crystal-clear: o TLS clients MUST NOT include RC4 cipher suites in the ClientHello message. o TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a cipher suite in the ClientHello message. o If the TLS client only offers RC4 cipher suites, the TLS server MUST terminate the handshake. The TLS server MAY send the insufficient_security fatal alert in this case. In short: RC4 is Considered Harmful. Kill it with fire. On 19/04/2014 20:54, Kurt Roeckx wrote: > IE on XP is known to only support 3DES, RC4, and some export > ciphers. Firstly, of those options, they're all bad. 3DES is the less awful option in my opinion (because BEAST is an active attack, but RC4 is or will be vulnerable to a passive attack applicable in retrospect), but none of them are recommended. But, reminder: support for Windows XP ended 11 days ago. It's now off life-support... it's got bigger problems than even 3DES. - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTUtgsAAoJEOyEjtkWi2t6vUMP/jPu/pPVELPORfPfhyN7sxCV +6WrH6T933A/2RgkvvIHGXovMWceu95Kf9yT8qQSsbG3kIJIoFYSr+cMSa0+2F7r +cELTer21kavBgHlxJuS2plAZbgU72J1AYhkC5CxyHG6cUW5vAXmBDTSqOJikdks j5/NiClm9hh0EiKgkTBvcAsmt9I/md6RIP9kEgwlgwCXTakjWG2xY3PCTJoLC3ta ryb6HGyBD4dUlOAexh8ttBc5pei1hjTvrM3fDxXHLtLB/WGEuE24Ljf5UzBeLGli WFgMTmy8nGXSDgQgLTzkhX4IQSDI8vRd9H7NP3aKVyxPyjILShEuR08OEYgW21Vf G74tkB3LwToKRvvrZlv99/W7R0sIFRkqA8Zwq/9/TwqSWMwrbkn3x75GG35jEa98 LpX9OXvr1Q6nVEwL9S3vR8kFMggRMG0WZ6ypbF13AcrCzxDckC/gp3kFPstRlf1T k+C4b88FTexBNk6L00s2crrvLs8mcjBCWbPlT9ylYTA1Y9bZjdW3jU4JQ20haplb Qto5NIKPI0StmYaQ5ApKfN7UDAFqLZwD6SUxDFgfANbssvPKsEi/6zhiNLXEhydp QB6o7PAtHsZvVkdBpvjPB0DOEPbTsb7sSagK41rGReZDcX8WoKL2l4/i4noFmmYJ QRik78o7c2X5zdKam8Rm =0nHD -----END PGP SIGNATURE-----
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Bill Frantz
- [TLS] RC4 depreciation path (Re: Deprecating more… Watson Ladd
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Ilari Liusvaara
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Michael D'Errico
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Kurt Roeckx
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Fabrice
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Watson Ladd
- [TLS] RC4 Considered Harmful (Was: RC4 deprecatio… Alyssa Rowan
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Jacob Appelbaum
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… David Holmes
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Salz, Rich
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Geoffrey Keating
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Marsh Ray
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx