Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 03 October 2014 16:25 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B2C31A0387 for <tls@ietfa.amsl.com>; Fri, 3 Oct 2014 09:25:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Level:
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjUpY9vOCJqJ for <tls@ietfa.amsl.com>; Fri, 3 Oct 2014 09:25:12 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54D461A0384 for <tls@ietf.org>; Fri, 3 Oct 2014 09:25:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1412353512; x=1443889512; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=9RPgEIy7RFM8QSp9IxmFIvpTmAew6KNd73PZtS7A1g8=; b=Bn30dfTjE0Q1v6/41Mzup1nedEjn5ddKwhY0k5jPgqlwbXlF8KZy92sq ZfozIINJFPDr5DGE/cWJVWWZHGUeSemL+PZ40Bl5EJYFlBDiiWhlpitgT pS+Nu9eDOkehIHkFE5gDLeTe/0n7RnOVfNqJgogSPk62j/H1D3p2pUJkb k=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="280240771"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 04 Oct 2014 05:25:07 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.70]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Sat, 4 Oct 2014 05:25:07 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
Thread-Index: Ac/fJpeYqJWNhqq0Q+StElEGYEuZ3g==
Date: Fri, 03 Oct 2014 16:25:06 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C739B9C0CCC@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/6PYKySpKEml8yI1HQQuYMOTh3go
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Oct 2014 16:25:16 -0000
Alyssa Rowan <akr@akr.io> writes: >As I've pointed out, if you're forced into backwards compatibility with rusty >legacy, 3DES is, though crappy, a less crappy choice than RC4. > >As Rich points out, just because legacy devices are indeed out there doesn't >mean that they do TLS safely, and doesn't mean we shouldn't prohibit unsafe >practice like using weak ciphers. It's not just TLS implementations, you also need to look at the surrounding infrastructure. For example Microsoft's NDES (Network Device Enrolment Service) hardcodes in MD5 to authenticate certs (via cert fingerprints) and single DES (not 3DES, single DES) for "protection" of messages (even if you send in a request using AES, the response comes back using single DES). In other words the most modern algorithm in there is more than twenty years old, and it's broken. So it doesn't matter how secure the TLS implementation is if the certs used to control it are being "protected" with broken crypto. Peter.
- [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hanno Böck
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- [TLS] adopting ChaCha20 as a WG item was: I-D Act… Nikos Mavrogiannopoulos
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Yoav Nir
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- [TLS] why Chacha20-SHA1 was: adopting ChaCha20 as… Nikos Mavrogiannopoulos
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Joachim Strömbergson
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Peter Gutmann
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Brian Smith
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… James Cloos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Paul Lambert
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Carl S. Gutekunst
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… James Cloos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ralph Holz
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ronald del Rosario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Chris Newman
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Joseph Salowey
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Paterson, Kenny
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- [TLS] Fw: I-D Action: draft-ietf-tls-prohibiting-… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Checkoway
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Blumenthal, Uri - 0558 - MITLL