Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

[mrex@sap.com (Martin Rex)]

Watson Ladd wrote:
[ Charset UTF-8 unsupported, converting... ]
> On Tue, Apr 22, 2014 at 5:14 PM, Martin Rex <mrex@sap.com> wrote:
> > Alyssa Rowan wrote:
> >>
> >> > 1.56% or TLS servers support only RC4.
> >>
> >> Partly because of PCI compliance testers making noise about BEAST, I'm
> >> thinking.
> >
> > BEAST was and still is a pretty stupid hype.
> >
> > Even the ssl test at qualys is still making bogus claims about
> > servers not being BEAST-patched.  Unless your server is a SSL-VPN server
> > or will boldly execute client-supplied active content, there can not
> > possibly be a BEAST vulnerability in the TLS server.
> 
> It's not about the server: if I only offer TLS 1.0, then clients who
> connect to me who aren't 1/(n-1) patched are vulnerable to BEAST,
> which leads to theft of credentials.

So what?  The server isn't vulnerable to BEAST, and when the client
will blissfully execute any attacker-supplied content, then the
silly BEAST demonstration is of no interest at all.  As long as the
client keeps executing arbitrary attacker-supplied active content,
that active content can submit whatever nefarious requests it wants
to have performed on the server, and no amount of 1/(n-1) splitting
and TLSv1.2+AES-GCM can prevent that.



>
> Force RC4, and it isn't exploitable, no matter how bad the client is.
> (BEAST was demonstrated against PayPal on a fully patched browser,
>  with cookies stolen live on stage. I don't see how it is "stupid hype")

It wasn't a "fully patched" browser, it was a wide-open browser.

A fully patched browser would have *NO* active content plugins
(no java, no flash, no pdf, no media, no office, whatever) and
lots of other crap disabled (no scripting, no downloadable fonts, etc).

BEAST only demonstrated that Web Browsers, in the configuration that
they're shipping, are a *HUGE* security problem by themselves.


> 
> With modern clients this isn't a concern: TLS 1.1 or higher fixes the
> problem, as does 1/(n-1).

It fixes the most irrelevant part of the BEAST prerequisites.


>
> However, there are enough old clients out there to apparently make
> this an issue, and the fix usually forces all of them to RC4.
> The one saving grace is BEAST requires a plugin. So far.

BEAST requires a willingness to execute attacker-supplied active content.


> 
> At some point RC4 needs to be removed. The question is now, or after
> someone demonstrates the sort of attack that we have nightmares about.
> Actually, given the talk about a removal path, 5 years from now or 3
> years after someone demonstrates an attack.


Look at the rfc5746 (TLS extension renegotiation_info) adoption rate.
The necessary change was rather small and could be added to *ANY*
version of TLS.  Anything more complicated will take longer to get
deployed in the installed base.


For some vendors, it seems to be primarily a sales strategy issue to
deploy more complex TLS updates.  Microsoft never shipped support for
AES TLS cipher suites (rfc34268) for Windows XP, although this would
have been *trivial* for them.  They had shipped AES for XP with
KB917021 (WPA2 hotfix) in late 2006, and for Windows 2003 / XP 64-bit
they shipped an update with AES TLS cipher suites with KB948963 in 2008.

Hotfixes for secure renegotiation and the 1/(n-1) record splitting
were shipped for XP as well.


For some usage scenarios, record splitting like 1+1+1+1+1+1+1+1+1+1+1/(n-11)
might potentially help somewhat where the RC4 cipher suite can not be avoided.


-Martin