Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

"Carl S. Gutekunst" <csg@alameth.org> Sat, 04 October 2014 18:27 UTC

Return-Path: <csg@alameth.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF4321A0126 for <tls@ietfa.amsl.com>; Sat, 4 Oct 2014 11:27:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.788
X-Spam-Level:
X-Spam-Status: No, score=-2.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EHgYaU5DgpLh for <tls@ietfa.amsl.com>; Sat, 4 Oct 2014 11:26:59 -0700 (PDT)
Received: from articuno.alameth.org (articuno.alameth.org [IPv6:2600:3c01::f03c:91ff:fe70:755c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938991A0115 for <tls@ietf.org>; Sat, 4 Oct 2014 11:26:59 -0700 (PDT)
Received: from [192.168.147.8] (76-191-206-73.dsl.dynamic.sonic.net [76.191.206.73]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by articuno.alameth.org (Postfix) with ESMTPS id 450FE852A; Sat, 4 Oct 2014 18:32:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alameth.org; s=n01; t=1412447554; bh=IqS25kz1DtpRpoPcNBPwNJR0lpDuEjxGAkmGU3OoW6k=; h=Date:From:To:Subject:References:In-Reply-To; b=f2ebAzhCxOyFbe9j5v0G3BoR8OfMyAGpX78JBNkDtLXNCgMl7mSugpPYeatH7sMEx Os/iPieSosBIrGbGe6EVx2aj4Hl2FAK3eYvGeJ6GyhUZjRCyCLfNm6vs0S7YIgUPNW +21HNVt47Ty/TrI43vz8wssvqNOi3A7KgOVz8RWk=
Message-ID: <54303BF2.2090904@alameth.org>
Date: Sat, 04 Oct 2014 11:26:58 -0700
From: "Carl S. Gutekunst" <csg@alameth.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: Hubert Kario <hkario@redhat.com>, tls@ietf.org
References: <20141002005804.2760C1AE9D@ld9781.wdf.sap.corp> <BA2DFF33-7B0C-4E87-9C0E-215933AED88F@akr.io> <2A0EFB9C05D0164E98F19BB0AF3708C71D2F8F7E83@USMBX1.msg.corp.akamai.com> <CADMpkcJEt4e7LJAY+FsFcbyQE2x3SXsaOW3bffV4U2oN9EUKrg@mail.gmail.com> <542D850E.2060900@akr.io> <CADMpkc+Zbu64wek2HayW2tCf+d1ZYLocMp2PzXncyS=fHPDwsg@mail.gmail.com> <542DB1D4.4020601@akr.io> <20141003042418.GS13254@mournblade.imrryr.org> <1878200851.5790803.1412334914571.JavaMail.zimbra@redhat.com>
In-Reply-To: <1878200851.5790803.1412334914571.JavaMail.zimbra@redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/WOzZLEDZB380vYG70zCdUNw7kpM
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Oct 2014 18:27:01 -0000

On 10/03/2014 04:15 AM, Hubert Kario wrote:
> This is not the case.
>
> Only about 1% of servers support only RC4 cipher, 1.5% if you're
> using Firefox[1].
>
> On the other hand, over 21% of servers will negotiate a RC4 cipher
> in case you're using Firefox (and nearly 18% if you're using
> OpenSSL-like supported cipher list).

Note that in the SMTP world, use of RC4 (and a bias towards RC4) is more 
prevalent than on web servers. This is in large measure because 
Microsoft Exchange Server 2003 shipped with only RC4 and 3DES, and the 
3DES implementation crashed somewhere around the MAIL FROM dialog. I 
still regularly run into these old, unpatched servers. I tell them to 
install AES support, but they usually ignore me, abandon my product, and 
switch to one that "works" -- that is, it uses TLS v1 and RC4.

<csg>