Re: [TLS] Prohibiting RC4 Cipher Suites

Andrei Popov <> Thu, 22 August 2013 23:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2E6FB11E827F for <>; Thu, 22 Aug 2013 16:54:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.099
X-Spam-Status: No, score=-4.099 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RNiUSuQ-KbHv for <>; Thu, 22 Aug 2013 16:54:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B433711E827B for <>; Thu, 22 Aug 2013 16:54:19 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.745.25; Thu, 22 Aug 2013 23:24:06 +0000
Received: from ([]) by ([]) with mapi id 15.00.0745.000; Thu, 22 Aug 2013 23:24:05 +0000
From: Andrei Popov <>
To: Yaron Sheffer <>, "" <>
Thread-Topic: [TLS] Prohibiting RC4 Cipher Suites
Thread-Index: AQHOnwo/26xymWMV+kOMJzEU3b3OB5mh0iXQ
Date: Thu, 22 Aug 2013 23:24:05 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0946DC87A1
x-forefront-antispam-report: SFV:NSPM; SFS:(164054003)(13464003)(51914003)(377454003)(199002)(189002)(69226001)(56776001)(74876001)(74316001)(31966008)(81542001)(4396001)(77096001)(54316002)(76482001)(74502001)(74662001)(54356001)(81342001)(74706001)(50986001)(47736001)(56816003)(47446002)(80976001)(79102001)(80022001)(65816001)(59766001)(77982001)(47976001)(74366001)(46102001)(51856001)(83072001)(76576001)(63696002)(53806001)(49866001)(76796001)(19580405001)(83322001)(19580395003)(33646001)(76786001)(81686001)(81816001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB195;; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] Prohibiting RC4 Cipher Suites
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Aug 2013 23:54:24 -0000

Hi Yaron,

Thanks for the feedback.

Are there any major web browsers that only support RC4? I am not aware of any.
Arguably, the common fallback for web users is to install a different browser, rather than try to find a non-TLS service (which is not always an available option).



-----Original Message-----
From: [] On Behalf Of Yaron Sheffer
Sent: Thursday, August 22, 2013 12:36 AM
Subject: [TLS] Prohibiting RC4 Cipher Suites

Hi Andrei,

Thank you for the new draft. While I agree with the motivation and with the first two recommendations (do not offer RC4, do not accept RC4 - if
possible!) I disagree that it is better to completely reject a client that offers only RC4, because the intuitive fallback for Web users is simply, don't do TLS. In a world of pervasive passive surveillance (see, we would prefer sessions to be encrypted even if it means that an active attacker, working hard, can break into them. And yes, the is the age old "false sense of security" discussion, yet again.

TLS mailing list