Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
Watson Ladd <watsonbladd@gmail.com> Wed, 23 April 2014 04:09 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 552631A0029 for <tls@ietfa.amsl.com>; Tue, 22 Apr 2014 21:09:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ja0FEWahss8y for <tls@ietfa.amsl.com>; Tue, 22 Apr 2014 21:09:53 -0700 (PDT)
Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 252161A001F for <tls@ietf.org>; Tue, 22 Apr 2014 21:09:53 -0700 (PDT)
Received: by mail-yh0-f44.google.com with SMTP id f10so382340yha.31 for <tls@ietf.org>; Tue, 22 Apr 2014 21:09:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PFENIB/oKJEq2lXmkb+8WQqmxD1EnlpGOMdV2J7PpNU=; b=RQauxtlbSAraGQJt0kFKirpVZm5gP1YfLFTm3HFsXdX1JCHg/G1uMBq2sjprGeB6p8 I2ruJFAB+YG4cn4Yw4nOB/FAExK2G865VOCrAHM2ZMa4dchji/3yYF5l9ui+uoMcQPsR jzw1IJQCQMzD0cKelo/kGMVogfNXtQQZTZHmnCI9ZWgjrLgs+t/l1D13XG25IdyPP8kV TMlTIrPNsAmHw3/JzqBvi6N5sg+ZABXSoFhG4HzykcyQV8Z5eEvsQyiQJ3bpABhLztb/ 5QKRXqJ2ATREP4C2AwCKPuJO/3a9eKJPxJi8+eFRWqr7vP7XP8vWHqC+D5rDgJDBUl8L pJ/Q==
MIME-Version: 1.0
X-Received: by 10.236.134.71 with SMTP id r47mr16880988yhi.83.1398226187530; Tue, 22 Apr 2014 21:09:47 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 22 Apr 2014 21:09:47 -0700 (PDT)
In-Reply-To: <20140423001448.3E6EA1ACDC@ld9781.wdf.sap.corp>
References: <5352FB8A.3070109@akr.io> <20140423001448.3E6EA1ACDC@ld9781.wdf.sap.corp>
Date: Tue, 22 Apr 2014 21:09:47 -0700
Message-ID: <CACsn0c=m75TQgNYr+V9y55807MG7c50iV7y-j_wtxKeVXJLh4g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/94xJn9mu_GCDf98N-bJ6Z1UU6Uw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 04:09:58 -0000
On Tue, Apr 22, 2014 at 5:14 PM, Martin Rex <mrex@sap.com> wrote: > Alyssa Rowan wrote: >> >> > 1.56% or TLS servers support only RC4. >> >> Partly because of PCI compliance testers making noise about BEAST, I'm >> thinking. > > BEAST was and still is a pretty stupid hype. > > Even the ssl test at qualys is still making bogus claims about > servers not being BEAST-patched. Unless your server is a SSL-VPN server > or will boldly execute client-supplied active content, there can not > possibly be a BEAST vulnerability in the TLS server. It's not about the server: if I only offer TLS 1.0, then clients who connect to me who aren't 1/(n-1) patched are vulnerable to BEAST, which leads to theft of credentials. Force RC4, and it isn't exploitable, no matter how bad the client is. (BEAST was demonstrated against PayPal on a fully patched browser, with cookies stolen live on stage. I don't see how it is "stupid hype") With modern clients this isn't a concern: TLS 1.1 or higher fixes the problem, as does 1/(n-1). However, there are enough old clients out there to apparently make this an issue, and the fix usually forces all of them to RC4. The one saving grace is BEAST requires a plugin. So far. At some point RC4 needs to be removed. The question is now, or after someone demonstrates the sort of attack that we have nightmares about. Actually, given the talk about a removal path, 5 years from now or 3 years after someone demonstrates an attack. > > > The larger problem with the use of RC4 is that a number of dense > TLS clients (e.g. Java) send RC4 cipher suites at the very beginning > of the list of cipher suites, and a number of dense TLS server > choose the first shared cipher from the list proposed by the client > rather then the first shared cipher from the list configured by the > server admin. One side or the other needs patching, preferably both. End of the day we can't do anything without some actual work getting done on deployed stuff. But yes, this is a good reminder that not everything is a web browser that calls home every week for an update. Sincerely, Watson Ladd > > > -Martin > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Bill Frantz
- [TLS] RC4 depreciation path (Re: Deprecating more… Watson Ladd
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Ilari Liusvaara
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Michael D'Errico
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Kurt Roeckx
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Fabrice
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Watson Ladd
- [TLS] RC4 Considered Harmful (Was: RC4 deprecatio… Alyssa Rowan
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Jacob Appelbaum
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… David Holmes
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Salz, Rich
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Geoffrey Keating
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Marsh Ray
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx