Re: [TLS] 3DES diediedie

Hanno Böck <hanno@hboeck.de> Fri, 26 August 2016 08:13 UTC

Date: Fri, 26 Aug 2016 10:13:04 +0200
From: Hanno Böck <hanno@hboeck.de>
To: Tony Arcieri <bascule@gmail.com>
Message-ID: <20160826101304.4815eecb@pc1>
In-Reply-To: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com>
References: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-24001-1472199185-0001-2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kzD5D_n25hcFAYSK1HzQonb2VEw>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] 3DES diediedie
Precedence: list

On Wed, 24 Aug 2016 19:08:02 -0700
Tony Arcieri <bascule@gmail.com> wrote:

> Should there be a 3DES "diediedie"?

I think a 3des diediedie rfc would be a good idea.

I was wondering yesterday whether I should disable 3des on my servers.
I'd likely exclude a small portion of my visitors for a very small
security gain.

Having a diediedie rfc would indicate that a significant portion of the
net agrees that we want to hard-deprecate 3des. I'd feel more
comfortable disabling it on my servers if I know that a reasonable
number of other servers will do the same thing, because users with a
3des/rc4-only browser will not only see failures on my site, they will
see failures all the time and will be forced to switch.

Forcing them to switch is also probably almost always a good thing.
Even for users who are stuck on Windows XP for whatever reason probably
have better options than sticking to builtin IE - e.g. they can use
Firefox, which is still supporting XP and offers modern ciphers.

Appart from that more operational argument, as far as I can see the
attack scenarios for RC4 and 3DES are in the same ballpark of
complexity. Not very practical, but practical enough to make us feel
uneasy, because we want TLS to provide reasonable protection even
against ulikely scenarios. We decided to deprecate RC4 with an RFC, so
it seems logical to deprecate 3DES as well.

(while we are at it: I'm not sure, do we have any official RFC
deprecating the even older ciphers - Single-DES, RC2 etc. - yet? We
could just stuff that in)

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

[TLS] 3DES diediedie Tony Arcieri
Re: [TLS] [Cfrg] 3DES diediedie Benjamin Kaduk
Re: [TLS] [Cfrg] 3DES diediedie Tony Arcieri
Re: [TLS] [Cfrg] 3DES diediedie Tony Arcieri
Re: [TLS] [Cfrg] 3DES diediedie Stephen Farrell
Re: [TLS] [Cfrg] 3DES diediedie Tony Arcieri
Re: [TLS] [Cfrg] 3DES diediedie Viktor Dukhovni
Re: [TLS] 3DES diediedie Peter Gutmann
Re: [TLS] 3DES diediedie Tony Arcieri
Re: [TLS] [Cfrg] 3DES diediedie John Mattsson
Re: [TLS] [Cfrg] 3DES diediedie Stephen Farrell
Re: [TLS] [Cfrg] 3DES diediedie Hubert Kario
Re: [TLS] [Cfrg] 3DES diediedie david wong
Re: [TLS] [Cfrg] 3DES diediedie Eric Rescorla
Re: [TLS] [Cfrg] 3DES diediedie Ira McDonald
Re: [TLS] [Cfrg] 3DES diediedie Hubert Kario
Re: [TLS] 3DES diediedie Geoffrey Keating
Re: [TLS] 3DES diediedie Dmitry Belyavsky
Re: [TLS] [Cfrg] 3DES diediedie Stanislav V. Smyshlyaev
Re: [TLS] 3DES diediedie Hanno Böck
Re: [TLS] [Cfrg] 3DES diediedie David McGrew (mcgrew)
Re: [TLS] [Cfrg] 3DES diediedie Watson Ladd
Re: [TLS] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie David McGrew (mcgrew)
Re: [TLS] [Cfrg] 3DES diediedie Karthikeyan Bhargavan
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie Stephen Farrell
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie Hubert Kario
Re: [TLS] [Cfrg] 3DES diediedie David McGrew (mcgrew)
Re: [TLS] [Cfrg] 3DES diediedie Joachim Strömbergson
Re: [TLS] [Cfrg] 3DES diediedie John Mattsson
[TLS] (confusing the issues) Re: [Cfrg] 3DES died… Rene Struik
Re: [TLS] [Cfrg] 3DES diediedie Ilari Liusvaara
Re: [TLS] (confusing the issues) Re: [Cfrg] 3DES … Dave Garrett
Re: [TLS] [Cfrg] 3DES diediedie Jon Callas
Re: [TLS] [Cfrg] (confusing the issues) Re: 3DES … Jon Callas
Re: [TLS] [Cfrg] 3DES diediedie Steven M. Bellovin
Re: [TLS] [Cfrg] (confusing the issues) Re: 3DES … Rene Struik
Re: [TLS] [Cfrg] (confusing the issues) Re: 3DES … Greg Rose
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie David McGrew (mcgrew)
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie Derek Atkins
Re: [TLS] [Cfrg] 3DES diediedie Hilarie Orman
Re: [TLS] [Cfrg] 3DES diediedie Brian Sniffen
Re: [TLS] [Cfrg] 3DES diediedie Hilarie Orman
Re: [TLS] [Cfrg] 3DES diediedie Derek Atkins
Re: [TLS] [Cfrg] 3DES diediedie Steven M. Bellovin
Re: [TLS] [Cfrg] 3DES diediedie Joachim Strömbergson
Re: [TLS] [Cfrg] 3DES diediedie Hilarie Orman
Re: [TLS] [Cfrg] 3DES diediedie Joachim Strömbergson
Re: [TLS] [Cfrg] 3DES diediedie Kyle Rose
Re: [TLS] 3DES diediedie Richard Hartmann
Re: [TLS] [Cfrg] 3DES diediedie Derek Atkins
Re: [TLS] [Cfrg] 3DES diediedie Hilarie Orman
Re: [TLS] [Cfrg] 3DES diediedie Ben Laurie
Re: [TLS] [Cfrg] 3DES diediedie Ben Laurie
Re: [TLS] [Cfrg] 3DES diediedie Joachim Strömbergson
Re: [TLS] [Cfrg] 3DES diediedie Derek Atkins
Re: [TLS] [Cfrg] 3DES diediedie Dave Garrett
Re: [TLS] [Cfrg] 3DES diediedie Ira McDonald
Re: [TLS] [Cfrg] 3DES diediedie Philip Levis
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie Joachim Strömbergson
Re: [TLS] [Cfrg] 3DES diediedie Ilari Liusvaara
Re: [TLS] [Cfrg] 3DES diediedie Richard Hartmann
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie Salz, Rich
Re: [TLS] [Cfrg] 3DES diediedie Tony Arcieri
Re: [TLS] [Cfrg] 3DES diediedie Peter Gutmann
Re: [TLS] [Cfrg] 3DES diediedie Derek Atkins
Re: [TLS] [Cfrg] 3DES diediedie Derek Atkins
Re: [TLS] [Cfrg] 3DES diediedie Kyle Rose
Re: [TLS] [Cfrg] 3DES diediedie Tony Arcieri
Re: [TLS] [Cfrg] 3DES diediedie Yoav Nir
Re: [TLS] [Cfrg] 3DES diediedie Kyle Rose