IETF Logo Mail Archive

Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

Yoav Nir <ynir.ietf@gmail.com> Sat, 19 April 2014 20:51 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CB611A00CF for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 13:51:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxP22s5lGnKz for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 13:51:03 -0700 (PDT)
Received: from mail-ee0-x232.google.com (mail-ee0-x232.google.com [IPv6:2a00:1450:4013:c00::232]) by ietfa.amsl.com (Postfix) with ESMTP id 7A6761A00A7 for <tls@ietf.org>; Sat, 19 Apr 2014 13:51:03 -0700 (PDT)
Received: by mail-ee0-f50.google.com with SMTP id c13so2587031eek.37 for <tls@ietf.org>; Sat, 19 Apr 2014 13:50:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UF8JQQqXcOTs6fq+fNoWoFwFNdO727oqTG5Rf4mpujo=; b=RzPdhRSF65s9CwDqcaFl+FYK6oftCYACff5vjlcHltZbjxyB6wx/NSduT/JeLU/cQG p5z9A66ARwP9w90OB2J6k/zHC+8SGPxtUhgXamNmaOvxe7rswPrwl7LjPD7W5klZuVSb kKBAxLBquaEjYBcrUr+92LOq9ZnmZ0q0+us4W8+AjvckZXgRBpv2WPUY3nsbzaCEpK6y 59vPdfMaYGs177TUseOzYfqI1rKL6RlivFs/OqRhnmQmVHu20Iegz2u8Qrt9Jq5p+5OW xzqS3ofzyh57EFu3yb6YerOmYG5AX+0TzCL6rav8WOeG7blbs+bvuuG9b0As1DIlZXuJ zKAQ==
X-Received: by 10.15.51.141 with SMTP id n13mr33285717eew.17.1397940658687; Sat, 19 Apr 2014 13:50:58 -0700 (PDT)
Received: from [192.168.1.102] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id z48sm88612551eel.27.2014.04.19.13.50.53 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Apr 2014 13:50:58 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <5352D82C.2030302@akr.io>
Date: Sat, 19 Apr 2014 23:50:41 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <2E68BD96-A94F-4965-82AA-E8E6B314F1E7@gmail.com>
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be> <5352B328.1080006@pobox.com> <20140419175352.GA9090@roeckx.be> <238BBDD5-DDE5-4627-AF4D-BC57DC0E61D7@gmail.com> <5352D82C.2030302@akr.io>
To: Alyssa Rowan <akr@akr.io>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/kfMOODX4YH2YGIKiFo1M4XOEGXg
Cc: tls@ietf.org
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 20:51:08 -0000

On Apr 19, 2014, at 11:10 PM, Alyssa Rowan <akr@akr.io> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On 19/04/2014 20:28, Yoav Nir wrote:
> 
>> As long as the client is required to support such servers, I guess 
>> we have to live with it.
> 
> I think the only correct deprecation path to recommend is the one
> that's on the table right now: the off switch.
> 
> Warn your users if you have to. But don't negotiate RC4 without a
> click-through warning.

I can probably do it, as long as I provide a configuration to re-enable it. But that’s me. 

Check out the survey that Kurt posted a link to. 1.56% or TLS servers support only RC4. Browsers are distributed for free, and each of the big ones is installed in hundreds of millions of copies. They can’t afford having support calls, and they can’t afford the bad publicity that comes with “some sites don’t work with this browser”.  What Microsoft is doing is the best we can hope for for now.

Yoav

v2.23.0 | Report a Bug | By Email