Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

[Hubert Kario <hkario@redhat.com>]

----- Original Message -----
> From: "Martin Rex" <mrex@sap.com>
> To: "Hubert Kario" <hkario@redhat.com>
> Cc: tls@ietf.org
> Sent: Monday, 6 October, 2014 9:58:44 PM
> Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
> 
> Hubert Kario wrote:
> > 
> > Only about 1% of servers support only RC4 cipher, 1.5% if you're
> > using Firefox[1].
> > 
> > On the other hand, over 21% of servers will negotiate a RC4 cipher
> > in case you're using Firefox (and nearly 18% if you're using
> > OpenSSL-like supported cipher list).
> > 
> > So by dropping RC4 from your first ClientHello (in case you do use
> > fallback) may as well cut your RC4 usage by over 20%!
> 
> We're talking past each other here.
> 
> I'm perfectly OK with the MUST NOT for the __client__ (!!), and
> I will not mind the slightest if (Browser or other) TLS clients that
> implement the awkward application-level reconnect fallback logic
> for TLS handshake failures start "punishing" the remaining RC4-only
> servers with reconnect fallbacks.

that doesn't increase security against targeted attacks, which are
basically the only ones against which we need protection
 
> My issue is with the IMHO bogus "MUST NOT" for servers.
> Servers have no control over the client behaviour, and the current
> proposal calls for an unconditional hard failure (equals to
> "come back in clear text") rather than interoperating with an
> RC4-based TLS cipher suites with installed base clients.

thing is that only very specific clients do advertise only RC4,
far less than there are RC4 only servers. Cloudflare saw on the
order of 0.000002% of connections end up with RC4:
http://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4/
All from long obsolete clients.

Previously they saw on the order of 0.0009%:
http://blog.cloudflare.com/killing-rc4-the-long-goodbye/


-- 
Regards,
Hubert Kario