IETF Logo Mail Archive

Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

Watson Ladd <watsonbladd@gmail.com> Wed, 23 April 2014 04:09 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 552631A0029 for <tls@ietfa.amsl.com>; Tue, 22 Apr 2014 21:09:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ja0FEWahss8y for <tls@ietfa.amsl.com>; Tue, 22 Apr 2014 21:09:53 -0700 (PDT)
Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 252161A001F for <tls@ietf.org>; Tue, 22 Apr 2014 21:09:53 -0700 (PDT)
Received: by mail-yh0-f44.google.com with SMTP id f10so382340yha.31 for <tls@ietf.org>; Tue, 22 Apr 2014 21:09:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PFENIB/oKJEq2lXmkb+8WQqmxD1EnlpGOMdV2J7PpNU=; b=RQauxtlbSAraGQJt0kFKirpVZm5gP1YfLFTm3HFsXdX1JCHg/G1uMBq2sjprGeB6p8 I2ruJFAB+YG4cn4Yw4nOB/FAExK2G865VOCrAHM2ZMa4dchji/3yYF5l9ui+uoMcQPsR jzw1IJQCQMzD0cKelo/kGMVogfNXtQQZTZHmnCI9ZWgjrLgs+t/l1D13XG25IdyPP8kV TMlTIrPNsAmHw3/JzqBvi6N5sg+ZABXSoFhG4HzykcyQV8Z5eEvsQyiQJ3bpABhLztb/ 5QKRXqJ2ATREP4C2AwCKPuJO/3a9eKJPxJi8+eFRWqr7vP7XP8vWHqC+D5rDgJDBUl8L pJ/Q==
MIME-Version: 1.0
X-Received: by 10.236.134.71 with SMTP id r47mr16880988yhi.83.1398226187530; Tue, 22 Apr 2014 21:09:47 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 22 Apr 2014 21:09:47 -0700 (PDT)
In-Reply-To: <20140423001448.3E6EA1ACDC@ld9781.wdf.sap.corp>
References: <5352FB8A.3070109@akr.io> <20140423001448.3E6EA1ACDC@ld9781.wdf.sap.corp>
Date: Tue, 22 Apr 2014 21:09:47 -0700
Message-ID: <CACsn0c=m75TQgNYr+V9y55807MG7c50iV7y-j_wtxKeVXJLh4g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/94xJn9mu_GCDf98N-bJ6Z1UU6Uw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 04:09:58 -0000

On Tue, Apr 22, 2014 at 5:14 PM, Martin Rex <mrex@sap.com> wrote:
> Alyssa Rowan wrote:
>>
>> > 1.56% or TLS servers support only RC4.
>>
>> Partly because of PCI compliance testers making noise about BEAST, I'm
>> thinking.
>
> BEAST was and still is a pretty stupid hype.
>
> Even the ssl test at qualys is still making bogus claims about
> servers not being BEAST-patched.  Unless your server is a SSL-VPN server
> or will boldly execute client-supplied active content, there can not
> possibly be a BEAST vulnerability in the TLS server.

It's not about the server: if I only offer TLS 1.0, then clients who
connect to me who aren't 1/(n-1) patched are vulnerable to BEAST,
which leads to theft of credentials. Force RC4, and it isn't
exploitable, no matter how bad the client is. (BEAST was demonstrated
against PayPal on a fully patched browser, with cookies stolen live on
stage. I don't see how it is "stupid hype")

With modern clients this isn't a concern: TLS 1.1 or higher fixes the
problem, as does 1/(n-1). However, there are enough old clients out
there to apparently make this an issue, and the fix usually forces all
of them to RC4. The one saving grace is BEAST requires a plugin. So
far.

At some point RC4 needs to be removed. The question is now, or after
someone demonstrates the sort of attack that we have nightmares about.
Actually, given the talk about a removal path, 5 years from now or 3
years after someone demonstrates an attack.

>
>
> The larger problem with the use of RC4 is that a number of dense
> TLS clients (e.g. Java) send RC4 cipher suites at the very beginning
> of the list of cipher suites, and a number of dense TLS server
> choose the first shared cipher from the list proposed by the client
> rather then the first shared cipher from the list configured by the
> server admin.

One side or the other needs patching, preferably both. End of the day
we can't do anything without some actual work getting done on deployed
stuff. But yes, this is a good reminder that not everything is a web
browser that calls home every week for an update.

Sincerely,
Watson Ladd

>
>
> -Martin
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email