Re: [TLS] Prohibiting RC4 Cipher Suites
Andrei Popov <Andrei.Popov@microsoft.com> Thu, 22 August 2013 23:54 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E6FB11E827F for <tls@ietfa.amsl.com>; Thu, 22 Aug 2013 16:54:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.099
X-Spam-Level:
X-Spam-Status: No, score=-4.099 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RNiUSuQ-KbHv for <tls@ietfa.amsl.com>; Thu, 22 Aug 2013 16:54:20 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) by ietfa.amsl.com (Postfix) with ESMTP id B433711E827B for <tls@ietf.org>; Thu, 22 Aug 2013 16:54:19 -0700 (PDT)
Received: from BL2PR03MB194.namprd03.prod.outlook.com (10.255.230.142) by BL2PR03MB195.namprd03.prod.outlook.com (10.255.230.153) with Microsoft SMTP Server (TLS) id 15.0.745.25; Thu, 22 Aug 2013 23:24:06 +0000
Received: from BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.159]) by BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.218]) with mapi id 15.00.0745.000; Thu, 22 Aug 2013 23:24:05 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Prohibiting RC4 Cipher Suites
Thread-Index: AQHOnwo/26xymWMV+kOMJzEU3b3OB5mh0iXQ
Date: Thu, 22 Aug 2013 23:24:05 +0000
Message-ID: <33d9189a96054eb8b239102453d92c5b@BL2PR03MB194.namprd03.prod.outlook.com>
References: <5215BF4A.7020909@gmail.com>
In-Reply-To: <5215BF4A.7020909@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0946DC87A1
x-forefront-antispam-report: SFV:NSPM; SFS:(164054003)(13464003)(51914003)(377454003)(199002)(189002)(69226001)(56776001)(74876001)(74316001)(31966008)(81542001)(4396001)(77096001)(54316002)(76482001)(74502001)(74662001)(54356001)(81342001)(74706001)(50986001)(47736001)(56816003)(47446002)(80976001)(79102001)(80022001)(65816001)(59766001)(77982001)(47976001)(74366001)(46102001)(51856001)(83072001)(76576001)(63696002)(53806001)(49866001)(76796001)(19580405001)(83322001)(19580395003)(33646001)(76786001)(81686001)(81816001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB195; H:BL2PR03MB194.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Subject: Re: [TLS] Prohibiting RC4 Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 23:54:24 -0000
Hi Yaron, Thanks for the feedback. Are there any major web browsers that only support RC4? I am not aware of any. Arguably, the common fallback for web users is to install a different browser, rather than try to find a non-TLS service (which is not always an available option). Cheers, Andrei -----Original Message----- From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Yaron Sheffer Sent: Thursday, August 22, 2013 12:36 AM To: tls@ietf.org Subject: [TLS] Prohibiting RC4 Cipher Suites Hi Andrei, Thank you for the new draft. While I agree with the motivation and with the first two recommendations (do not offer RC4, do not accept RC4 - if possible!) I disagree that it is better to completely reject a client that offers only RC4, because the intuitive fallback for Web users is simply, don't do TLS. In a world of pervasive passive surveillance (see https://www.ietf.org/mailman/listinfo/perpass), we would prefer sessions to be encrypted even if it means that an active attacker, working hard, can break into them. And yes, the is the age old "false sense of security" discussion, yet again. Thanks, Yaron <https://www.ietf.org/mailman/listinfo/perpass> _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Prohibiting RC4 Cipher Suites Andrei Popov
- Re: [TLS] Prohibiting RC4 Cipher Suites Paterson, Kenny
- [TLS] Prohibiting RC4 Cipher Suites Yaron Sheffer
- Re: [TLS] Prohibiting RC4 Cipher Suites Andrei Popov
- Re: [TLS] Prohibiting RC4 Cipher Suites Andrei Popov
- Re: [TLS] Prohibiting RC4 Cipher Suites Yaron Sheffer
- [TLS] Prohibiting RC4 Cipher Suites Andrei Popov