IETF Logo Mail Archive

Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))

Kurt Roeckx <kurt@roeckx.be> Sat, 19 April 2014 13:10 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71BD21A0201 for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 06:10:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5zPqyBn_e42 for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 06:10:26 -0700 (PDT)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) by ietfa.amsl.com (Postfix) with ESMTP id 8CDAE1A01FB for <tls@ietf.org>; Sat, 19 Apr 2014 06:10:25 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id F17F51C2121; Sat, 19 Apr 2014 15:10:19 +0200 (CEST)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id BCC8D1FE0214; Sat, 19 Apr 2014 15:10:19 +0200 (CEST)
Date: Sat, 19 Apr 2014 15:10:19 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20140419131019.GA29561@roeckx.be>
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Ot10GOJlxA0SLUcTTh2VOO_1iso
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 13:10:32 -0000

On Fri, Apr 18, 2014 at 11:03:44PM -0700, Watson Ladd wrote:
> On Thu, Apr 17, 2014 at 9:15 AM, Brian Sniffen <bsniffen@akamai.com> wrote:
> > Alyssa Rowan <akr@akr.io> writes:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA512
> >>
> >> It looks like RC4 is rapidly heading for the chopping block, with
> >> basically unanimous consensus. Good.
> >
> > Agreed, mod Martin's proposal that I understand to ask for a reasonable
> > path by which we strongly deprecate RC4 on clients, then after a client
> > generation ban RC4 on clients and deprecate for servers.
> 
> I don't think this is the correct path. I think what we should do is
> have clients and servers both prefer other options (in all TLS
> versions), then once that change is made, ban it entirely. Deprecation
> on one side won't affect the other side if there isn't an alternative
> mandated. (Right now RC4 only servers are keeping RC4 alive).
> 
> This first step has already happened in the web context on modern
> browsers. What we need is to make the server side step happen, and
> then think about removal in the second step.
> 
> Sadly, our ability to force upgrades is very limited.

And I think publishing an RFC isn't actually really going to help
much.  Yes, people could use it tell others that it's deprecated,
but I think there are already more than enough places that say so
that having this RFC isn't really going to make a difference.

I do agree that we need to try to get both sides to stop using it,
and I wish we could just tell people to stop using it and that
they would do so.  But I don't see either the server or the client
side wanting to break things.  It would clearly help if they could
say at which point they wouldn't mind breaking things.

So I think that for now the best we can do is:
- Servers should either stop accepting RC4 or make sure that 
  if the clients supports something better (TLS >= 1.1?) it should
  not pick RC4.
  It's my understanding that the client preferences of ciphers
  should be used but that servers can override that, and that
  there might be good reasons to do so. For instance to get PFS
  when talking to Internet Explorer.  If they override it, they
  should make sure not to put RC4 first.  Basically, a mondern
  client should never get RC4.
- Clients should not announce support for RC4 in their initial
  connection attempt, and only fall back to support it when the
  server says that there are no common ciphers.  (I'm not sure
  if a MITM can fake that response or not.)

At some point in time when the clients or servers think that they
don't need to support RC4 anymore they should disable it.


Kurt

v2.23.0 | Report a Bug | By Email