Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

Jacob Appelbaum <jacob@appelbaum.net> Sat, 19 April 2014 23:58 UTC

Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480281A008F for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 16:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5MIpKtwchx9A for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 16:58:53 -0700 (PDT)
Received: from mail-qg0-f51.google.com (mail-qg0-f51.google.com [209.85.192.51]) by ietfa.amsl.com (Postfix) with ESMTP id 3D24F1A00A2 for <tls@ietf.org>; Sat, 19 Apr 2014 16:58:53 -0700 (PDT)
Received: by mail-qg0-f51.google.com with SMTP id f51so947736qge.10 for <tls@ietf.org>; Sat, 19 Apr 2014 16:58:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=a3k5FQOlQt7OHPFoff6ppCQqtCMhDPqvT8yHQTOoT/s=; b=Oq5NNM4DmL8skvVkY/xDZ0XUYxcLKns0VJgPfTVSaS25cDPERHj7gCcFDAYkISv5En lICHkSkGiJAr1sxBHshT/5lTzEPxF8SlJWPuW3TImfuOq/QWGgopHNSc6Hnp1gZ6XPu/ gSHi5AXp/m1T2GkI7Z1Q6pnWkuvlk91OyxxhOSkWyoCHhi40D91mJl4bYH2ytgjL5A4A 2Ve+xB55nOvlFCYYxnEpYfWDHzIT71YrCk7DuP3j9t+W43VVVPBGlBUBVJXa/vGADsQV mGyfKWST5/XEePGd+AlEiEzIS55Wub+/y0/e0wVFbDwfOx1fOb5upHAW892eoxqhGZYd dkKQ==
X-Gm-Message-State: ALoCoQla/xIggI7DxGqtrbJKNyf3+jCtNGFKKh3FruI1bIkQR+wtThVh0DXrPhHNUlFkHv6oGQK1
MIME-Version: 1.0
X-Received: by 10.140.47.206 with SMTP id m72mr23759309qga.21.1397951928308; Sat, 19 Apr 2014 16:58:48 -0700 (PDT)
Received: by 10.140.100.205 with HTTP; Sat, 19 Apr 2014 16:58:48 -0700 (PDT)
X-Originating-IP: [109.201.138.210]
In-Reply-To: <5352D82C.2030302@akr.io>
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be> <5352B328.1080006@pobox.com> <20140419175352.GA9090@roeckx.be> <238BBDD5-DDE5-4627-AF4D-BC57DC0E61D7@gmail.com> <5352D82C.2030302@akr.io>
Date: Sat, 19 Apr 2014 23:58:48 +0000
Message-ID: <CAFggDF0Kh+F3R+NtKZ-WhQWn3gO9quGhaFL8Qnx1a6TiVbAmGQ@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: Alyssa Rowan <akr@akr.io>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/fiQSevUvRU6iWyKpAYHggutkiMs
Cc: tls@ietf.org
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 23:58:57 -0000

On 4/19/14, Alyssa Rowan <akr@akr.io>; wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 19/04/2014 20:28, Yoav Nir wrote:
>
>> As long as the client is required to support such servers, I guess
>> we have to live with it.
>
> I think the only correct deprecation path to recommend is the one
> that's on the table right now: the off switch.
>
> Warn your users if you have to. But don't negotiate RC4 without a
> click-through warning.
>
> RC4 is either on the brink of being cracked, given the serious known
> weaknesses pointed out in Section 1 of the draft, or it is already
> over the brink (if that's the 'cryptanalytic breakthrough' GCHQ were
> talking about that they got from NSA, and that seems plausible to me,
> and to several others, including Schneier).
>

I think that RC4 is completely broken for certain adversaries. It
should be totally abandoned.

> If it's on the brink, then when it's cracked, captured traffic can
> (and will) be retroactively decrypted. If it's over the brink, that's
> already happening.
>

Yes, I agree. I believe that this is already happening.

> That window of opportunity was widened by advice given to use RC4-SHA
> to avoid BEAST, which is why some servers prefer RC4 to AES-128. (That
> was very bad advice, with 20:20 hindsight.)
>
> We need to close that window now. As you've seen in this discussion,
> there is only one safe way to close that window: disable RC4
> completely. Any delay in disabling RC4 leaves that window open for
> longer, and leaves users subject to a false sense of security about
> their connections that should be protected by that little 'lock icon'.
>
> I don't think we can in good conscience recommend any delay. That's
> why the draft we have strong consensus on is crystal-clear:
>
>    o  TLS clients MUST NOT include RC4 cipher suites in the ClientHello
>       message.
>
>    o  TLS servers MUST NOT select an RC4 cipher suite when a TLS client
>       sends such a cipher suite in the ClientHello message.
>
>    o  If the TLS client only offers RC4 cipher suites, the TLS server
>       MUST terminate the handshake.  The TLS server MAY send the
>       insufficient_security fatal alert in this case.
>
> In short: RC4 is Considered Harmful. Kill it with fire.
>

I agree entirely. RC4 needs to die in a fire. A celebratory TLS 1.3 fire.

All the best,
Jacob