IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

James Cloos <cloos@jhcloos.com> Fri, 03 October 2014 21:38 UTC

Return-Path: <cloos@jhcloos.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E3B31A893E for <tls@ietfa.amsl.com>; Fri, 3 Oct 2014 14:38:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.787
X-Spam-Level:
X-Spam-Status: No, score=-2.787 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67X5p3C1sxmJ for <tls@ietfa.amsl.com>; Fri, 3 Oct 2014 14:38:03 -0700 (PDT)
Received: from ore.jhcloos.com (ore.jhcloos.com [198.147.23.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 298D11A876E for <tls@ietf.org>; Fri, 3 Oct 2014 14:38:03 -0700 (PDT)
Received: by ore.jhcloos.com (Postfix, from userid 10) id 06D911E19B; Fri, 3 Oct 2014 21:38:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore14; t=1412372282; bh=hSY1UTLWqiKb1Dg/aMtcvV/iHdGKcFbnnEK70ZqcoSo=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=gaKO2twtrpTFYvD5ZV67FfIri8Z8BhYzowrFthziZQcKQhGLOnipl4VIQ8eSllT6d CxevaTJdwfsaC1KdFaKODDPYlGsMy8z3GW9KygxeqO8taqKrThvkYHTkss3IJfo2ix 36MfaCv88GRFukyMBplK/781GUYXaLCEmpsuit1w=
Received: by carbon.jhcloos.org (Postfix, from userid 500) id 26A2360023; Fri, 3 Oct 2014 21:37:31 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: Hubert Kario <hkario@redhat.com>
In-Reply-To: <1878200851.5790803.1412334914571.JavaMail.zimbra@redhat.com> (Hubert Kario's message of "Fri, 3 Oct 2014 07:15:14 -0400 (EDT)")
References: <20141002005804.2760C1AE9D@ld9781.wdf.sap.corp> <BA2DFF33-7B0C-4E87-9C0E-215933AED88F@akr.io> <2A0EFB9C05D0164E98F19BB0AF3708C71D2F8F7E83@USMBX1.msg.corp.akamai.com> <CADMpkcJEt4e7LJAY+FsFcbyQE2x3SXsaOW3bffV4U2oN9EUKrg@mail.gmail.com> <542D850E.2060900@akr.io> <CADMpkc+Zbu64wek2HayW2tCf+d1ZYLocMp2PzXncyS=fHPDwsg@mail.gmail.com> <542DB1D4.4020601@akr.io> <20141003042418.GS13254@mournblade.imrryr.org> <1878200851.5790803.1412334914571.JavaMail.zimbra@redhat.com>
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC
Copyright: Copyright 2014 James Cloos
OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Fri, 03 Oct 2014 17:37:31 -0400
Message-ID: <m3bnpsq1gk.fsf@carbon.jhcloos.org>
Lines: 19
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:28:141003:hkario@redhat.com::oqBQxSI07E1NvFRa:000000000000000000000000000000000000000000066eiF
X-Hashcash: 1:28:141003:tls@ietf.org::xM6Q/r8JCC15ZE7O:00002wWpl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4QkoHlZSqJVZACx3iz4MyVRZzDM
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Oct 2014 21:38:04 -0000

>>>>> "HK" == Hubert Kario <hkario@redhat.com> writes:

HK> Only about 1% of servers support only RC4 cipher, 1.5% if you're
HK> using Firefox[1].

When this first came up I test a few of them.  Some of the sites I
tested had some sort of load balancing box listening on the main uri
which redirected to the real servers.  In each of the cases of that
sort where the redirecting box only supported rc4, the destinations
all supported a reasonably modern set of ciphers.

So the problem isn't just updating typical web servers, but also dealing
with what are likely low-spec closed-source fronts.  It may be impossible
for some of the rc4-only sites to fix that w/o replacing (probably over-
priced) hardware.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

v2.23.0 | Report a Bug | By Email