Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 24 October 2014 20:40 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B74DD1A8A87 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 13:40:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BsLrJiNI1eIP for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 13:40:38 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9B711A0231 for <tls@ietf.org>; Fri, 24 Oct 2014 13:40:38 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0FB742AB2E7; Fri, 24 Oct 2014 20:40:37 +0000 (UTC)
Date: Fri, 24 Oct 2014 20:40:37 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141024204036.GR19158@mournblade.imrryr.org>
References: <CAO7N=i3gC=+qcgHU=aMKtRyT7tZV5fm=9gJii-=yOpcNECOEvA@mail.gmail.com> <20141022175238.GF19158@mournblade.imrryr.org> <544837FD.202@cs.tcd.ie> <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF651E4@USMBX1.msg.corp.akamai.com> <5449A667.9040105@cs.tcd.ie> <20141024133728.GI19158@mournblade.imrryr.org> <m2h9yts047.fsf@localhost.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <m2h9yts047.fsf@localhost.localdomain>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/kNCIXYYMMIhghG_GKsTF7sl5Wx8
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 20:40:42 -0000

On Fri, Oct 24, 2014 at 01:07:04PM -0700, Geoffrey Keating wrote:

> Suppose 20% of hosts will use RC4 if it is offered, and 0.1% will
> refuse a connection if RC4 is not offered.  Then by not offering RC4,
> you are downgrading 0.1% to plaintext (assuming that's what happens)
> and upgrading 20% to a secure cipher---in the short term.  I believe
> that in itself is likely to be a win overall.

Well, the 20% "upgrade" is invisible and offers no immediate benefit,
while the 0.1% breakage causes people operational headaches, and
with sites they never specifically wanted encryption for.  They'll
then disable encryption for the site and forget they did that, so
the site is stuck at cleartext "forever".

Anyway, I think I've accepted the probability that RC4 will be a
MUST NOT, but that I'll simply have to ignore this for a few years.

-- 
	Viktor.