IETF Logo Mail Archive

Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))

Kurt Roeckx <kurt@roeckx.be> Sat, 19 April 2014 19:54 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EBAE1A00BF for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.17
X-Spam-Level:
X-Spam-Status: No, score=0.17 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, URI_NO_WWW_INFO_CGI=2.071] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aheDLEgm-JoU for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:54:40 -0700 (PDT)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) by ietfa.amsl.com (Postfix) with ESMTP id 353021A00A5 for <tls@ietf.org>; Sat, 19 Apr 2014 12:54:40 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id 128111C2121; Sat, 19 Apr 2014 21:54:35 +0200 (CEST)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id E27471FE0214; Sat, 19 Apr 2014 21:54:34 +0200 (CEST)
Date: Sat, 19 Apr 2014 21:54:34 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: Fabrice <fabrice.gautier@gmail.com>
Message-ID: <20140419195434.GA21513@roeckx.be>
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be> <AFC6B628-8D22-4B06-B2B8-7B047515FFB3@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AFC6B628-8D22-4B06-B2B8-7B047515FFB3@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/l-i_XONqXSbFYkTY2x7Eba4y6nA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 19:54:44 -0000

On Sat, Apr 19, 2014 at 12:32:59PM -0700, Fabrice wrote:
> 
> > So I think that for now the best we can do is:
> > - Servers should either stop accepting RC4 or make sure that 
> >  if the clients supports something better (TLS >= 1.1?) it should
> >  not pick RC4.
> 
> I would think there would be very few if any clients out there that only support RC4. But I would expect some servers out there do no support RC4 already.
> Although I have no actual data to support my gut feeling here, and would be glad to be proven wrong. 

IE on XP is known to only support 3DES, RC4, and some export
ciphers.  Not everybody agrees that 3DES would be best for those,
because 3DES is much slower.  3DES would probably be vulnerable
to BEAST, and IE6 doesn't like the record splitting.  If you
really need to support those clients RC4 might actually be your
best option.

I don't have any good stats about what clients our out there and
what they support, but I've hard mozilla is collecting some.  But
then I'd actually rather see stats from someone else.

For stats about servers, see:
https://www.trustworthyinternet.org/ssl-pulse/
https://jve.linuxwall.info/blog/index.php?post/TLS_Survey


Kurt

v2.23.0 | Report a Bug | By Email