Re: [TLS] 3DES diediedie

Hanno Böck <hanno@hboeck.de> Fri, 26 August 2016 08:13 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 773C2127077 for <tls@ietfa.amsl.com>; Fri, 26 Aug 2016 01:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mET1wyEKhCQN for <tls@ietfa.amsl.com>; Fri, 26 Aug 2016 01:13:07 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D407512D09C for <tls@ietf.org>; Fri, 26 Aug 2016 01:13:06 -0700 (PDT)
Received: from pc1 (dslb-188-102-031-228.188.102.pools.vodafone-ip.de [::ffff:188.102.31.228]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by zucker.schokokeks.org with ESMTPSA; Fri, 26 Aug 2016 10:13:05 +0200 id 000000000000007D.0000000057BFFA11.00005DC1
Date: Fri, 26 Aug 2016 10:13:04 +0200
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: Tony Arcieri <bascule@gmail.com>
Message-ID: <20160826101304.4815eecb@pc1>
In-Reply-To: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com>
References: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com>
X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-24001-1472199185-0001-2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kzD5D_n25hcFAYSK1HzQonb2VEw>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] 3DES diediedie
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2016 08:13:09 -0000

On Wed, 24 Aug 2016 19:08:02 -0700
Tony Arcieri <bascule@gmail.com> wrote:

> Should there be a 3DES "diediedie"?

I think a 3des diediedie rfc would be a good idea.

I was wondering yesterday whether I should disable 3des on my servers.
I'd likely exclude a small portion of my visitors for a very small
security gain.

Having a diediedie rfc would indicate that a significant portion of the
net agrees that we want to hard-deprecate 3des. I'd feel more
comfortable disabling it on my servers if I know that a reasonable
number of other servers will do the same thing, because users with a
3des/rc4-only browser will not only see failures on my site, they will
see failures all the time and will be forced to switch.

Forcing them to switch is also probably almost always a good thing.
Even for users who are stuck on Windows XP for whatever reason probably
have better options than sticking to builtin IE - e.g. they can use
Firefox, which is still supporting XP and offers modern ciphers.

Appart from that more operational argument, as far as I can see the
attack scenarios for RC4 and 3DES are in the same ballpark of
complexity. Not very practical, but practical enough to make us feel
uneasy, because we want TLS to provide reasonable protection even
against ulikely scenarios. We decided to deprecate RC4 with an RFC, so
it seems logical to deprecate 3DES as well.

(while we are at it: I'm not sure, do we have any official RFC
deprecating the even older ciphers - Single-DES, RC2 etc. - yet? We
could just stuff that in)

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42