[TLS] Prohibiting RC4 Cipher Suites

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 22 August 2013 07:35 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C990E11E80E0 for <tls@ietfa.amsl.com>; Thu, 22 Aug 2013 00:35:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id IzPMmVhPV74c for <tls@ietfa.amsl.com>; Thu, 22 Aug 2013 00:35:47 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) by ietfa.amsl.com (Postfix) with ESMTP id 7831F21F9FE5 for <tls@ietf.org>; Thu, 22 Aug 2013 00:35:43 -0700 (PDT)
Received: by mail-wg0-f51.google.com with SMTP id a12so1250497wgh.6 for <tls@ietf.org>; Thu, 22 Aug 2013 00:35:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=vR5GQZqPg/gDRNYlyDoTnqTR1mETxpOJV9388/j2Yrg=; b=YSF1x1llm5qq31HYueKnoUPB6VykW+nV3qP2x5M09Lay/AN/iWVWi1RpNxlH7UxNfH N9GWt1UfP4u05qqh2/LA5gfcfIyJQ86KA82WuLf0gSinDNvsjp5PEbE+D9rknNyPjorO is7+B1JxTL0qIRAkRh2fEoue669fkaUUJjksD5FcKLVrjNKVqzdNOQMyH92PlchWMuc5 8EJQQLnwhXZWa0Y/5gweDg7qrvyPV/4oT3xsOIbOsWbCykIEuRT09D3sflvP3OcqKetf ijPc40wHaYmnRC9baKBG9VY0UGs4y7w6q5xD31KNkFzwSKLPWLfvEQvMCOQ28S9OGv9g qEZQ==
X-Received: by with SMTP id gf5mr8643119wic.31.1377156940224; Thu, 22 Aug 2013 00:35:40 -0700 (PDT)
Received: from [] (46-116-127-98.bb.netvision.net.il. []) by mx.google.com with ESMTPSA id i5sm36348884wiw.7.1969. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 22 Aug 2013 00:35:39 -0700 (PDT)
Message-ID: <5215BF4A.7020909@gmail.com>
Date: Thu, 22 Aug 2013 10:35:38 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [TLS] Prohibiting RC4 Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 07:35:47 -0000

Hi Andrei,

Thank you for the new draft. While I agree with the motivation and with 
the first two recommendations (do not offer RC4, do not accept RC4 - if 
possible!) I disagree that it is better to completely reject a client 
that offers only RC4, because the intuitive fallback for Web users is 
simply, don't do TLS. In a world of pervasive passive surveillance (see 
https://www.ietf.org/mailman/listinfo/perpass), we would prefer sessions 
to be encrypted even if it means that an active attacker, working hard, 
can break into them. And yes, the is the age old "false sense of 
security" discussion, yet again.