Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-encrypt-then-mac)
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 11 April 2014 19:31 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA2E1A03BC for <tls@ietfa.amsl.com>; Fri, 11 Apr 2014 12:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3q_a_6gyIQNJ for <tls@ietfa.amsl.com>; Fri, 11 Apr 2014 12:31:53 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id C0B0C1A02D4 for <tls@ietf.org>; Fri, 11 Apr 2014 12:31:52 -0700 (PDT)
Received: from [10.70.10.85] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 50C2AF986 for <tls@ietf.org>; Fri, 11 Apr 2014 15:31:50 -0400 (EDT)
Message-ID: <53484319.5090504@fifthhorseman.net>
Date: Fri, 11 Apr 2014 15:31:37 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBOvxL7Zws0UNowViBWGaVBgfm3zXt8=dNPKffGfN3q2gA@mail.gmail.com>
In-Reply-To: <CABcZeBOvxL7Zws0UNowViBWGaVBgfm3zXt8=dNPKffGfN3q2gA@mail.gmail.com>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="bt3XdFXuNsat2tgph0XS6tjjVXdpKCUSv"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_z1aCvSCuW_pMT3xsGhsA3ZM7Dg
Subject: Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-encrypt-then-mac)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Apr 2014 19:31:56 -0000
On 04/11/2014 02:50 PM, Eric Rescorla wrote: > Andrei Popov has refreshed his draft on deprecating RC4: > > http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02 I would be happy to see RC4 go away, and if this helps push the 'net across that boundary, I would be happy to see it. I have two concerns with the current draft, though: 0) XP, WinServer2003, and even weaker ciphers ---------------------------------------------- Windows XP and Windows Server 2003 offer a very limited selection of ciphersuites: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx The only two ciphers that are close to plausible here RC4 and 3DES-CBC. The other ones are even weaker. If we say that such a system shouldn't offer RC4, should they continue offering the even weaker ciphers as well, like TLS_RSA_WITH_DES_CBC_SHA or, uh, TLS_RSA_WITH_NULL_SHA ? Do we have comparable text that deprecates these other ciphers? Windows XP was EOL'ed earlier this week, but everyone knows that it is still in disturbingly widespread use. Windows Server 2003 is supposed to be in extended support until the middle of 2015. Is there any prospect of an SChannel update for these systems that would make these clients behave better on the modern network? 1) opportunistic TLS in fallback-to-clear contexts --------------------------------------------------- as broken as RC4 is, it's better than cleartext. There are contexts in which TLS is used only when it can be negotiated, and otherwise the same communication is retried in the clear. One such example is SMTP mail delivery. It would be a net loss in security if this draft caused a mailserver to fail to negotiate TLS, and then it came back and reconnected to deliver the same message in the clear. Some text that thoughtfully acknowledges this context and indicates what servers and clients should do knowing that old peers exist would probably be useful. More generally, and i know i've banged on this drum before, i wish we had a better idea about how to proactively deprecate weak crypto in general. It seems like we always do it in an ad-hoc fashion, and we roll out new crypto without a thought about how we're going to deal with its inevitable demise (except maybe by yanking it in some ad-hoc way in the future). I've got no good recommendations for how to do this, but i would love to hear some. --dkg
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Matt Caswell
- [TLS] Deprecating RC4 (was: draft-ietf-tls-encryp… Eric Rescorla
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Thomson
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Kurt Roeckx
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Daniel Kahn Gillmor
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Peter Yee
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Andrei Popov
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Stephen Checkoway
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Yoav Nir
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Geoffrey Keating
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Jim Schaad
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Manuel Pégourié-Gonnard
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Johannes Merkle
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Stephen Farrell
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Richard Hartmann
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Yoav Nir
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Warren Kumari
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Eric Rescorla
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Rex
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Thomson
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Martin Rex
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Watson Ladd
- Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-en… Bill Frantz
- [TLS] Deprecating more (DSA?) (was Re: Deprecatin… Hanno Böck
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Yoav Nir
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Hanno Böck
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Daniel Kahn Gillmor
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Hanno Böck
- Re: [TLS] Deprecating more (DSA?) (was Re: Deprec… Tom Ritter
- Re: [TLS] Deprecating more (DSA?) Alyssa Rowan
- Re: [TLS] Deprecating more (DSA?) Joseph Salowey (jsalowey)
- Re: [TLS] Deprecating more (DSA?) Watson Ladd
- Re: [TLS] Deprecating more (DSA?) Alyssa Rowan
- Re: [TLS] Deprecating more (DSA?) Johannes Merkle
- Re: [TLS] Deprecating more (DSA?) Brian Sniffen
- Re: [TLS] Deprecating more (DSA?) Bill Frantz
- Re: [TLS] Deprecating more (DSA?) Watson Ladd
- Re: [TLS] Deprecating more (DSA?) Samuel Neves
- Re: [TLS] Deprecating more (DSA?) Bill Frantz