Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))
Kurt Roeckx <kurt@roeckx.be> Sat, 19 April 2014 19:54 UTC
Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EBAE1A00BF for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.17
X-Spam-Level:
X-Spam-Status: No, score=0.17 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aheDLEgm-JoU for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:54:40 -0700 (PDT)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) by ietfa.amsl.com (Postfix) with ESMTP id 353021A00A5 for <tls@ietf.org>; Sat, 19 Apr 2014 12:54:40 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id 128111C2121; Sat, 19 Apr 2014 21:54:35 +0200 (CEST)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id E27471FE0214; Sat, 19 Apr 2014 21:54:34 +0200 (CEST)
Date: Sat, 19 Apr 2014 21:54:34 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: Fabrice <fabrice.gautier@gmail.com>
Message-ID: <20140419195434.GA21513@roeckx.be>
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be> <AFC6B628-8D22-4B06-B2B8-7B047515FFB3@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AFC6B628-8D22-4B06-B2B8-7B047515FFB3@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/l-i_XONqXSbFYkTY2x7Eba4y6nA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 19:54:44 -0000
On Sat, Apr 19, 2014 at 12:32:59PM -0700, Fabrice wrote: > > > So I think that for now the best we can do is: > > - Servers should either stop accepting RC4 or make sure that > > if the clients supports something better (TLS >= 1.1?) it should > > not pick RC4. > > I would think there would be very few if any clients out there that only support RC4. But I would expect some servers out there do no support RC4 already. > Although I have no actual data to support my gut feeling here, and would be glad to be proven wrong. IE on XP is known to only support 3DES, RC4, and some export ciphers. Not everybody agrees that 3DES would be best for those, because 3DES is much slower. 3DES would probably be vulnerable to BEAST, and IE6 doesn't like the record splitting. If you really need to support those clients RC4 might actually be your best option. I don't have any good stats about what clients our out there and what they support, but I've hard mozilla is collecting some. But then I'd actually rather see stats from someone else. For stats about servers, see: https://www.trustworthyinternet.org/ssl-pulse/ https://jve.linuxwall.info/blog/index.php?post/TLS_Survey Kurt
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Bill Frantz
- [TLS] RC4 depreciation path (Re: Deprecating more… Watson Ladd
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Ilari Liusvaara
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Michael D'Errico
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Kurt Roeckx
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Fabrice
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Watson Ladd
- [TLS] RC4 Considered Harmful (Was: RC4 deprecatio… Alyssa Rowan
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Jacob Appelbaum
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… David Holmes
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Salz, Rich
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Geoffrey Keating
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Marsh Ray
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx