IETF Logo Mail Archive

Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-encrypt-then-mac)

Yoav Nir <ynir.ietf@gmail.com> Fri, 11 April 2014 20:39 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55E5D1A072E for <tls@ietfa.amsl.com>; Fri, 11 Apr 2014 13:39:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90vT4O59EgZ8 for <tls@ietfa.amsl.com>; Fri, 11 Apr 2014 13:39:00 -0700 (PDT)
Received: from mail-ee0-x231.google.com (mail-ee0-x231.google.com [IPv6:2a00:1450:4013:c00::231]) by ietfa.amsl.com (Postfix) with ESMTP id E32D51A03D0 for <tls@ietf.org>; Fri, 11 Apr 2014 13:38:59 -0700 (PDT)
Received: by mail-ee0-f49.google.com with SMTP id c41so4527147eek.36 for <tls@ietf.org>; Fri, 11 Apr 2014 13:38:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YG3oFK2EqaAkHOLKhjUrcLUxfRkp/R54JFL6aUje0Uo=; b=Xdm1OxZerw9xuUK1yqrV7j1mjU91Sbtg9mYSXVDU3W3wMekVWMM67L9viwhQbBk47Q JMSuhughM3FeYx9pk7AsPfQ2j8GjDuJR5rBXsxgpp1DQpBvzLoOcakcIaRCpnDL0NdCR 98VDArUhZlyEGXtYwAGfiuI/cwnQU5fi/DiD7fuKWFOWmGldCUTWm/HVnryEQDVCWnpa 0ypsfoyDVVm4uymJvKf3FUx0EqhT1lf49Fw7XKE7L/JCmNR1S0ucBxaqHFTEYfwZGxV0 7oX3AHbVWcr870E8JpzKO2Cf0G+HUL/zNQXoht2Z/DZ/84/KTlRgCJmUyqcqXCqTLqv6 zBxg==
X-Received: by 10.14.88.199 with SMTP id a47mr28604575eef.6.1397248738090; Fri, 11 Apr 2014 13:38:58 -0700 (PDT)
Received: from [192.168.243.52] ([192.116.177.210]) by mx.google.com with ESMTPSA id u1sm20165624eex.31.2014.04.11.13.38.56 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 11 Apr 2014 13:38:57 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <53484319.5090504@fifthhorseman.net>
Date: Fri, 11 Apr 2014 23:38:55 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <CF0DDAAC-23A0-4A87-AFA7-0BE2CEF19A6B@gmail.com>
References: <CABcZeBOvxL7Zws0UNowViBWGaVBgfm3zXt8=dNPKffGfN3q2gA@mail.gmail.com> <53484319.5090504@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/65b6qrmTKtZnVQRJk85ateTIzxE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-encrypt-then-mac)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Apr 2014 20:39:02 -0000

Hi, dkg

It’s not clear to me whether the draft is targeted at developers or deployers. If the former, it comes too late to apply to XP and Win2003. If the latter, you can still configure your server to only offer 3DES. While not the best cipher out there, if someone is stuck and cannot upgrade to Win2008, it is (as you say) the only plausible thing.

For people stuck on XP, there’s still Chrome, Firefox, and Opera. If they insist on using software that is all 10 years old, a new RFC can’t apply to them. If you use IE you can’t turn off ciphersuites. Or maybe there’s some secret registry hack, but if you’re technical enough to hack the registry, you’re technical enough to install a more modern browser or OS.

Those other weak ciphers should be gone as well. There is no good reason today to have “export” ciphersuites. NULL can stay, but nobody in their right minds uses that in a server that is supposed to offer confidentiality. Those ciphersuites are like AH in IPsec, a rarity that is useful in a few edge cases.

As for opportunistic encryption, while it’s true that RC4 is better than nothing, anything that can do RC4 can do better things. Even if those "better things" are 3DES-CBC in TLS 1.0.

Yoav

On Apr 11, 2014, at 10:31 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> On 04/11/2014 02:50 PM, Eric Rescorla wrote:
> 
>> Andrei Popov has refreshed his draft on deprecating RC4:
>> 
>> http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02
> 
> I would be happy to see RC4 go away, and if this helps push the 'net
> across that boundary, I would be happy to see it.
> 
> I have two concerns with the current draft, though:
> 
> 
> 0) XP, WinServer2003, and even weaker ciphers
> ----------------------------------------------
> 
> Windows XP and Windows Server 2003 offer a very limited selection of
> ciphersuites:
> 
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx
> 
> The only two ciphers that are close to plausible here RC4 and 3DES-CBC.
> The other ones are even weaker.
> 
> If we say that such a system shouldn't offer RC4, should they continue
> offering the even weaker ciphers as well, like TLS_RSA_WITH_DES_CBC_SHA
> or, uh, TLS_RSA_WITH_NULL_SHA ?  Do we have comparable text that
> deprecates these other ciphers?
> 
> Windows XP was EOL'ed earlier this week, but everyone knows that it is
> still in disturbingly widespread use.
> 
> Windows Server 2003 is supposed to be in extended support until the
> middle of 2015.
> 
> Is there any prospect of an SChannel update for these systems that would
> make these clients behave better on the modern network?
> 
> 
> 1) opportunistic TLS in fallback-to-clear contexts
> ---------------------------------------------------
> 
> as broken as RC4 is, it's better than cleartext.  There are contexts in
> which TLS is used only when it can be negotiated, and otherwise the same
> communication is retried in the clear.  One such example is SMTP mail
> delivery.
> 
> It would be a net loss in security if this draft caused a mailserver to
> fail to negotiate TLS, and then it came back and reconnected to deliver
> the same message in the clear.
> 
> Some text that thoughtfully acknowledges this context and indicates what
> servers and clients should do knowing that old peers exist would
> probably be useful.
> 
> 
> 
> More generally, and i know i've banged on this drum before, i wish we
> had a better idea about how to proactively deprecate weak crypto in
> general.  It seems like we always do it in an ad-hoc fashion, and we
> roll out new crypto without a thought about how we're going to deal with
> its inevitable demise (except maybe by yanking it in some ad-hoc way in
> the future).  I've got no good recommendations for how to do this, but i
> would love to hear some.
> 
> 	--dkg
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email