Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 24 October 2014 14:59 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D80C81A1A02 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 07:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2J8WW3AsPbN for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 07:59:54 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62F5B1A0AF7 for <tls@ietf.org>; Fri, 24 Oct 2014 07:59:51 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 77CCD2AB2E7; Fri, 24 Oct 2014 14:59:50 +0000 (UTC)
Date: Fri, 24 Oct 2014 14:59:50 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141024145950.GN19158@mournblade.imrryr.org>
References: <CAO7N=i3gC=+qcgHU=aMKtRyT7tZV5fm=9gJii-=yOpcNECOEvA@mail.gmail.com> <20141022175238.GF19158@mournblade.imrryr.org> <544837FD.202@cs.tcd.ie> <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF651E4@USMBX1.msg.corp.akamai.com> <5449A667.9040105@cs.tcd.ie> <20141024133728.GI19158@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF65341@USMBX1.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF65341@USMBX1.msg.corp.akamai.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/6dsIlcs9gDSij8q5rkA3GnzbMwk
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 14:59:57 -0000

On Fri, Oct 24, 2014 at 10:31:23AM -0400, Salz, Rich wrote:

> > Leaving a cipher suite out is only practical once it is no longer the best shared
> > cipher with any peers.  
> 
> I don't agree with this blanket statement.  Sometimes nothing trumps "something is better than nothing."
> 
> When the IETF's leading cryptographers say not to use something,
> then you're better off with plaintext than a false sense of security
> for your users.

There is no false sense of security with non-interactive with
unauthenticated opportunistic TLS.  You expect no security, and
none is claimed.  If passive attacks happened to be avoided, that's
gravy, if not, at least cleartext would not have been stronger.

The MTA logs (if they record the use of TLS at all) will record
the ciphersuite used.  The administrator can make appropriate
conclusions:

    Oct 18 11:42:40 amnesiac postfix/smtp[29005]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.68.26]:25: TLSv1.1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
    Oct 20 19:55:07 amnesiac postfix/smtp[21141]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.68.27]:25: TLSv1.1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
    Oct 22 02:55:59 amnesiac postfix/smtp[8024]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.68.26]:25: TLSv1.1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
    Oct 22 23:51:08 amnesiac postfix/smtp[26570]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.68.26]:25: TLSv1.1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
    Oct 23 01:25:18 amnesiac postfix/smtp[18228]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[64.233.171.26]:25: TLSv1.1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
    Oct 23 04:53:38 amnesiac postfix/smtp[20459]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[64.233.171.27]:25: TLSv1.1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
    Oct 23 21:05:20 amnesiac postfix/smtp[29828]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[64.233.171.26]:25: TLSv1.1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
    Oct 24 03:23:26 amnesiac postfix/smtp[1541]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[64.233.171.27]:25: TLSv1.1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)

After all the fuss about RC4, I've taken a minute to  add a
destination-specific TLS policy for gmail.com:

    tls-policy:
	gmail.com encrypt exclude=RC4

# postmap tls-policy

    main.cf:
	indexed = ${default_database_type}:${config_directory}/
	smtp_tls_policy_maps = ${indexed}tls-policy

Now I have:

    Oct 24 14:51:57 amnesiac postfix/smtp[10528]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.76.26]:25: TLSv1.1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)

No publically known RC4 attacks apply to MTA to MTA delivery without
SASL AUTH, but there we have it, after enabling server cipher order
preempt on my end, and disabling RC4 for Gmail, who can do better,
I am no longer seeing RC4 in my logs (still enabled for all other
destinations, no idea which ones are still running Exchange 2003).

-- 
	Viktor.