[TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

Alyssa Rowan <akr@akr.io> Sat, 19 April 2014 20:10 UTC

Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26B181A00A5 for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 13:10:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.003
X-Spam-Level:
X-Spam-Status: No, score=-0.003 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E9wKjovgsuQK for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 13:10:25 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id D83391A0055 for <tls@ietf.org>; Sat, 19 Apr 2014 13:10:24 -0700 (PDT)
Message-ID: <5352D82C.2030302@akr.io>
Date: Sat, 19 Apr 2014 21:10:20 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be> <5352B328.1080006@pobox.com> <20140419175352.GA9090@roeckx.be> <238BBDD5-DDE5-4627-AF4D-BC57DC0E61D7@gmail.com>
In-Reply-To: <238BBDD5-DDE5-4627-AF4D-BC57DC0E61D7@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/eGjta3YnDQgrjpqUmHGfPkdF_1M
Subject: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 20:10:27 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 19/04/2014 20:28, Yoav Nir wrote:

> As long as the client is required to support such servers, I guess 
> we have to live with it.

I think the only correct deprecation path to recommend is the one
that's on the table right now: the off switch.

Warn your users if you have to. But don't negotiate RC4 without a
click-through warning.

RC4 is either on the brink of being cracked, given the serious known
weaknesses pointed out in Section 1 of the draft, or it is already
over the brink (if that's the 'cryptanalytic breakthrough' GCHQ were
talking about that they got from NSA, and that seems plausible to me,
and to several others, including Schneier).

If it's on the brink, then when it's cracked, captured traffic can
(and will) be retroactively decrypted. If it's over the brink, that's
already happening.

That window of opportunity was widened by advice given to use RC4-SHA
to avoid BEAST, which is why some servers prefer RC4 to AES-128. (That
was very bad advice, with 20:20 hindsight.)

We need to close that window now. As you've seen in this discussion,
there is only one safe way to close that window: disable RC4
completely. Any delay in disabling RC4 leaves that window open for
longer, and leaves users subject to a false sense of security about
their connections that should be protected by that little 'lock icon'.

I don't think we can in good conscience recommend any delay. That's
why the draft we have strong consensus on is crystal-clear:

   o  TLS clients MUST NOT include RC4 cipher suites in the ClientHello
      message.

   o  TLS servers MUST NOT select an RC4 cipher suite when a TLS client
      sends such a cipher suite in the ClientHello message.

   o  If the TLS client only offers RC4 cipher suites, the TLS server
      MUST terminate the handshake.  The TLS server MAY send the
      insufficient_security fatal alert in this case.

In short: RC4 is Considered Harmful. Kill it with fire.


On 19/04/2014 20:54, Kurt Roeckx wrote:

> IE on XP is known to only support 3DES, RC4, and some export 
> ciphers.

Firstly, of those options, they're all bad. 3DES is the less awful
option in my opinion (because BEAST is an active attack, but RC4 is or
will be vulnerable to a passive attack applicable in retrospect), but
none of them are recommended.

But, reminder: support for Windows XP ended 11 days ago. It's now off
life-support... it's got bigger problems than even 3DES.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTUtgsAAoJEOyEjtkWi2t6vUMP/jPu/pPVELPORfPfhyN7sxCV
+6WrH6T933A/2RgkvvIHGXovMWceu95Kf9yT8qQSsbG3kIJIoFYSr+cMSa0+2F7r
+cELTer21kavBgHlxJuS2plAZbgU72J1AYhkC5CxyHG6cUW5vAXmBDTSqOJikdks
j5/NiClm9hh0EiKgkTBvcAsmt9I/md6RIP9kEgwlgwCXTakjWG2xY3PCTJoLC3ta
ryb6HGyBD4dUlOAexh8ttBc5pei1hjTvrM3fDxXHLtLB/WGEuE24Ljf5UzBeLGli
WFgMTmy8nGXSDgQgLTzkhX4IQSDI8vRd9H7NP3aKVyxPyjILShEuR08OEYgW21Vf
G74tkB3LwToKRvvrZlv99/W7R0sIFRkqA8Zwq/9/TwqSWMwrbkn3x75GG35jEa98
LpX9OXvr1Q6nVEwL9S3vR8kFMggRMG0WZ6ypbF13AcrCzxDckC/gp3kFPstRlf1T
k+C4b88FTexBNk6L00s2crrvLs8mcjBCWbPlT9ylYTA1Y9bZjdW3jU4JQ20haplb
Qto5NIKPI0StmYaQ5ApKfN7UDAFqLZwD6SUxDFgfANbssvPKsEi/6zhiNLXEhydp
QB6o7PAtHsZvVkdBpvjPB0DOEPbTsb7sSagK41rGReZDcX8WoKL2l4/i4noFmmYJ
QRik78o7c2X5zdKam8Rm
=0nHD
-----END PGP SIGNATURE-----