IETF Logo Mail Archive

Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-encrypt-then-mac)

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 11 April 2014 19:31 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA2E1A03BC for <tls@ietfa.amsl.com>; Fri, 11 Apr 2014 12:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3q_a_6gyIQNJ for <tls@ietfa.amsl.com>; Fri, 11 Apr 2014 12:31:53 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id C0B0C1A02D4 for <tls@ietf.org>; Fri, 11 Apr 2014 12:31:52 -0700 (PDT)
Received: from [10.70.10.85] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 50C2AF986 for <tls@ietf.org>; Fri, 11 Apr 2014 15:31:50 -0400 (EDT)
Message-ID: <53484319.5090504@fifthhorseman.net>
Date: Fri, 11 Apr 2014 15:31:37 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBOvxL7Zws0UNowViBWGaVBgfm3zXt8=dNPKffGfN3q2gA@mail.gmail.com>
In-Reply-To: <CABcZeBOvxL7Zws0UNowViBWGaVBgfm3zXt8=dNPKffGfN3q2gA@mail.gmail.com>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="bt3XdFXuNsat2tgph0XS6tjjVXdpKCUSv"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_z1aCvSCuW_pMT3xsGhsA3ZM7Dg
Subject: Re: [TLS] Deprecating RC4 (was: draft-ietf-tls-encrypt-then-mac)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Apr 2014 19:31:56 -0000

On 04/11/2014 02:50 PM, Eric Rescorla wrote:

> Andrei Popov has refreshed his draft on deprecating RC4:
> 
> http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02

I would be happy to see RC4 go away, and if this helps push the 'net
across that boundary, I would be happy to see it.

I have two concerns with the current draft, though:


0) XP, WinServer2003, and even weaker ciphers
----------------------------------------------

Windows XP and Windows Server 2003 offer a very limited selection of
ciphersuites:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa380512%28v=vs.85%29.aspx

The only two ciphers that are close to plausible here RC4 and 3DES-CBC.
 The other ones are even weaker.

If we say that such a system shouldn't offer RC4, should they continue
offering the even weaker ciphers as well, like TLS_RSA_WITH_DES_CBC_SHA
or, uh, TLS_RSA_WITH_NULL_SHA ?  Do we have comparable text that
deprecates these other ciphers?

Windows XP was EOL'ed earlier this week, but everyone knows that it is
still in disturbingly widespread use.

Windows Server 2003 is supposed to be in extended support until the
middle of 2015.

Is there any prospect of an SChannel update for these systems that would
make these clients behave better on the modern network?


1) opportunistic TLS in fallback-to-clear contexts
---------------------------------------------------

as broken as RC4 is, it's better than cleartext.  There are contexts in
which TLS is used only when it can be negotiated, and otherwise the same
communication is retried in the clear.  One such example is SMTP mail
delivery.

It would be a net loss in security if this draft caused a mailserver to
fail to negotiate TLS, and then it came back and reconnected to deliver
the same message in the clear.

Some text that thoughtfully acknowledges this context and indicates what
servers and clients should do knowing that old peers exist would
probably be useful.



More generally, and i know i've banged on this drum before, i wish we
had a better idea about how to proactively deprecate weak crypto in
general.  It seems like we always do it in an ad-hoc fashion, and we
roll out new crypto without a thought about how we're going to deal with
its inevitable demise (except maybe by yanking it in some ad-hoc way in
the future).  I've got no good recommendations for how to do this, but i
would love to hear some.

	--dkg

v2.23.0 | Report a Bug | By Email