IETF Logo Mail Archive

Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))

Watson Ladd <watsonbladd@gmail.com> Sat, 19 April 2014 19:57 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BDE81A00D5 for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:57:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_66=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id soPwMqVXT3qv for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:57:15 -0700 (PDT)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id BC8FC1A00A5 for <tls@ietf.org>; Sat, 19 Apr 2014 12:57:15 -0700 (PDT)
Received: by mail-yh0-f42.google.com with SMTP id v1so589011yhn.29 for <tls@ietf.org>; Sat, 19 Apr 2014 12:57:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=wY7+tJ4ztHKyr3SWh1af8hb9HrVtcVIH3ZIDGz8IDQY=; b=xXacnXUL3hhJtapn+O6uy94kgNqP6tE1Knauy1Kvo+fENcDw/E2mQGxBVgUB6wlCj1 NiyohmoxU3VWBl3DDvSpLFvF+xdFhyWZ7VJyfhZ29xOhSX7R4I33E/k+7HuOAC+1hzjg usRjxeh8iuoz7JmkLcnKoEcSM7XrcaBG1pSFELmI1nE5oZyyUHI3TFjCI8wlLHSTS0q9 nU3ecMHk+fQpv4avzVguWQ6k4935Dxe4jQTVAPxpqNrqW4oI9XwsWt2vPTXpiyMK2u3d W+6cgbWu8C/iU/bdODCKT57Q1dLjmS8VE52X0AIWgFwxZzwh6X8yabF0olj/6a9AWdnt qldQ==
MIME-Version: 1.0
X-Received: by 10.236.66.135 with SMTP id h7mr38920761yhd.60.1397937431178; Sat, 19 Apr 2014 12:57:11 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Sat, 19 Apr 2014 12:57:11 -0700 (PDT)
In-Reply-To: <AFC6B628-8D22-4B06-B2B8-7B047515FFB3@gmail.com>
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be> <AFC6B628-8D22-4B06-B2B8-7B047515FFB3@gmail.com>
Date: Sat, 19 Apr 2014 12:57:11 -0700
Message-ID: <CACsn0c==+Ymu4HxwS74fU3Qx_GYRKborUiUZ7jHwrUQdXrvLOQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Fabrice <fabrice.gautier@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/25Ns12-r7XTl9U8gHA_qRjz6j84
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 19:57:19 -0000

On Sat, Apr 19, 2014 at 12:32 PM, Fabrice <fabrice.gautier@gmail.com> wrote:
>> On Apr 19, 2014, at 6:10, Kurt Roeckx <kurt@roeckx.be> wrote:
>>
>>> On Fri, Apr 18, 2014 at 11:03:44PM -0700, Watson Ladd wrote:
>>>> On Thu, Apr 17, 2014 at 9:15 AM, Brian Sniffen <bsniffen@akamai.com> wrote:
>>>> Alyssa Rowan <akr@akr.io> writes:
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA512
>>>>>
>>>>> It looks like RC4 is rapidly heading for the chopping block, with
>>>>> basically unanimous consensus. Good.
>>>>
>>>> Agreed, mod Martin's proposal that I understand to ask for a reasonable
>>>> path by which we strongly deprecate RC4 on clients, then after a client
>>>> generation ban RC4 on clients and deprecate for servers.
>>>
>>> I don't think this is the correct path. I think what we should do is
>>> have clients and servers both prefer other options (in all TLS
>>> versions), then once that change is made, ban it entirely. Deprecation
>>> on one side won't affect the other side if there isn't an alternative
>>> mandated. (Right now RC4 only servers are keeping RC4 alive).
>>>
>>> This first step has already happened in the web context on modern
>>> browsers. What we need is to make the server side step happen, and
>>> then think about removal in the second step.
>>>
>>> Sadly, our ability to force upgrades is very limited.
>>
>> And I think publishing an RFC isn't actually really going to help
>> much.
>
> Not much, but a little bit. I think there are still a lot of people (including myself) that are not convinced that the severity of the attacks against RC4 justify removing it yet. I'm not an expert enough to be able to tell if the various published papers about RC4 are mostly theoretical issues, or practical ones.
>
> If the IETF comes out with an RFC officially deprecating it, that's one more thing telling me this is serious enough that it should really be looked at.

Have you seen the graphs of recovery probability against number of
connections? It's pretty bad.

The big idea is to use Fluherer-McGrew biases+Hidden Markov model
algorithms. That's assuming no more cryptanalysis results. I don't
think that's a good assumption.

>
>> Yes, people could use it tell others that it's deprecated,
>> but I think there are already more than enough places that say so
>> that having this RFC isn't really going to make a difference
>
>> I do agree that we need to try to get both sides to stop using it,
>> and I wish we could just tell people to stop using it and that
>> they would do so.  But I don't see either the server or the client
>> side wanting to break things.  It would clearly help if they could
>> say at which point they wouldn't mind breaking things
>
>> So I think that for now the best we can do is:
>> - Servers should either stop accepting RC4 or make sure that
>>  if the clients supports something better (TLS >= 1.1?) it should
>>  not pick RC4.
>
> I would think there would be very few if any clients out there that only support RC4. But I would expect some servers out there do no support RC4 already.
> Although I have no actual data to support my gut feeling here, and would be glad to be proven wrong.

It's a server-side workaround for BEAST. Not all old IE versions have
1/n-1 record splitting. I'm part of the problem here: my dad refuses
to get a new computer, so IE6 on XP it is. However, old IE isn't
vulnerable without plugins.

Vanguard.com is a website using RC4 on modern browsers. The reason for
this is partly BEAST and partly a misconfiguration in which they
support TLS 1.2, but still want RC4. It's this sort of issue which we
can solve easily. Removing RC4 from browsers wouldn't break them.

>
>>  It's my understanding that the client preferences of ciphers
>>  should be used but that servers can override that, and that
>>  there might be good reasons to do so. For instance to get PFS
>>  when talking to Internet Explorer.  If they override it, they
>>  should make sure not to put RC4 first.  Basically, a mondern
>>  client should never get RC4.
>> - Clients should not announce support for RC4 in their initial
>>  connection attempt, and only fall back to support it when the
>>  server says that there are no common ciphers.  (I'm not sure
>>  if a MITM can fake that response or not.)
>>
>> At some point in time when the clients or servers think that they
>> don't need to support RC4 anymore they should disable it.
>>
>>
>> Kurt
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email