Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

Jacob Appelbaum <> Sat, 19 April 2014 23:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 480281A008F for <>; Sat, 19 Apr 2014 16:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5MIpKtwchx9A for <>; Sat, 19 Apr 2014 16:58:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3D24F1A00A2 for <>; Sat, 19 Apr 2014 16:58:53 -0700 (PDT)
Received: by with SMTP id f51so947736qge.10 for <>; Sat, 19 Apr 2014 16:58:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=a3k5FQOlQt7OHPFoff6ppCQqtCMhDPqvT8yHQTOoT/s=; b=Oq5NNM4DmL8skvVkY/xDZ0XUYxcLKns0VJgPfTVSaS25cDPERHj7gCcFDAYkISv5En lICHkSkGiJAr1sxBHshT/5lTzEPxF8SlJWPuW3TImfuOq/QWGgopHNSc6Hnp1gZ6XPu/ gSHi5AXp/m1T2GkI7Z1Q6pnWkuvlk91OyxxhOSkWyoCHhi40D91mJl4bYH2ytgjL5A4A 2Ve+xB55nOvlFCYYxnEpYfWDHzIT71YrCk7DuP3j9t+W43VVVPBGlBUBVJXa/vGADsQV mGyfKWST5/XEePGd+AlEiEzIS55Wub+/y0/e0wVFbDwfOx1fOb5upHAW892eoxqhGZYd dkKQ==
X-Gm-Message-State: ALoCoQla/xIggI7DxGqtrbJKNyf3+jCtNGFKKh3FruI1bIkQR+wtThVh0DXrPhHNUlFkHv6oGQK1
MIME-Version: 1.0
X-Received: by with SMTP id m72mr23759309qga.21.1397951928308; Sat, 19 Apr 2014 16:58:48 -0700 (PDT)
Received: by with HTTP; Sat, 19 Apr 2014 16:58:48 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Sat, 19 Apr 2014 23:58:48 +0000
Message-ID: <>
From: Jacob Appelbaum <>
To: Alyssa Rowan <>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 19 Apr 2014 23:58:57 -0000

On 4/19/14, Alyssa Rowan <>; wrote:
> Hash: SHA512
> On 19/04/2014 20:28, Yoav Nir wrote:
>> As long as the client is required to support such servers, I guess
>> we have to live with it.
> I think the only correct deprecation path to recommend is the one
> that's on the table right now: the off switch.
> Warn your users if you have to. But don't negotiate RC4 without a
> click-through warning.
> RC4 is either on the brink of being cracked, given the serious known
> weaknesses pointed out in Section 1 of the draft, or it is already
> over the brink (if that's the 'cryptanalytic breakthrough' GCHQ were
> talking about that they got from NSA, and that seems plausible to me,
> and to several others, including Schneier).

I think that RC4 is completely broken for certain adversaries. It
should be totally abandoned.

> If it's on the brink, then when it's cracked, captured traffic can
> (and will) be retroactively decrypted. If it's over the brink, that's
> already happening.

Yes, I agree. I believe that this is already happening.

> That window of opportunity was widened by advice given to use RC4-SHA
> to avoid BEAST, which is why some servers prefer RC4 to AES-128. (That
> was very bad advice, with 20:20 hindsight.)
> We need to close that window now. As you've seen in this discussion,
> there is only one safe way to close that window: disable RC4
> completely. Any delay in disabling RC4 leaves that window open for
> longer, and leaves users subject to a false sense of security about
> their connections that should be protected by that little 'lock icon'.
> I don't think we can in good conscience recommend any delay. That's
> why the draft we have strong consensus on is crystal-clear:
>    o  TLS clients MUST NOT include RC4 cipher suites in the ClientHello
>       message.
>    o  TLS servers MUST NOT select an RC4 cipher suite when a TLS client
>       sends such a cipher suite in the ClientHello message.
>    o  If the TLS client only offers RC4 cipher suites, the TLS server
>       MUST terminate the handshake.  The TLS server MAY send the
>       insufficient_security fatal alert in this case.
> In short: RC4 is Considered Harmful. Kill it with fire.

I agree entirely. RC4 needs to die in a fire. A celebratory TLS 1.3 fire.

All the best,