Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Watson Ladd <watsonbladd@gmail.com> Sun, 05 October 2014 23:54 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 161CB1A0137 for <tls@ietfa.amsl.com>; Sun, 5 Oct 2014 16:54:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rMYMRwooZyVZ for <tls@ietfa.amsl.com>; Sun, 5 Oct 2014 16:54:01 -0700 (PDT)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 563AC1A0120 for <tls@ietf.org>; Sun, 5 Oct 2014 16:54:01 -0700 (PDT)
Received: by mail-yk0-f172.google.com with SMTP id 19so1546523ykq.17 for <tls@ietf.org>; Sun, 05 Oct 2014 16:54:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SrsRzJfSBfl32SNAWux6cWuSBTibBhGLTGBFKpCq1EA=; b=PXdo7HTQ8kGCXOnPakK+BZ0a5B+QZUvgUqGMcyxn6lHTeoRnn+MhFNtf7b0LffAfs3 qabY4s1JlmF/RKfSWQH1xWFCN/OoOlPXxip1MQ2U6an2ea5oTBUKW7MWULaDknBWBiWZ ByLLUhqW0TyK/+jwI6PCuu1D65iz2+Q3945YwUikAeSjnjJEQTEaEHTChFbRt7OcY1/c NyhWwL28S53D5O8hbjqwrmj5HyxfDYPd/QLgWwA0OCXJBZhGDBVX3ZTSMAqluwEkKYMp l0iUW16g+XvASKT7HmWR42h2h4yi4rOGxfWIu6tURabHAmKKDEqRbBBNIjp8T+/O5dKu 6MWQ==
MIME-Version: 1.0
X-Received: by 10.236.88.226 with SMTP id a62mr32861454yhf.64.1412553240638; Sun, 05 Oct 2014 16:54:00 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Sun, 5 Oct 2014 16:54:00 -0700 (PDT)
In-Reply-To: <m3bnpsq1gk.fsf@carbon.jhcloos.org>
References: <20141002005804.2760C1AE9D@ld9781.wdf.sap.corp> <BA2DFF33-7B0C-4E87-9C0E-215933AED88F@akr.io> <2A0EFB9C05D0164E98F19BB0AF3708C71D2F8F7E83@USMBX1.msg.corp.akamai.com> <CADMpkcJEt4e7LJAY+FsFcbyQE2x3SXsaOW3bffV4U2oN9EUKrg@mail.gmail.com> <542D850E.2060900@akr.io> <CADMpkc+Zbu64wek2HayW2tCf+d1ZYLocMp2PzXncyS=fHPDwsg@mail.gmail.com> <542DB1D4.4020601@akr.io> <20141003042418.GS13254@mournblade.imrryr.org> <1878200851.5790803.1412334914571.JavaMail.zimbra@redhat.com> <m3bnpsq1gk.fsf@carbon.jhcloos.org>
Date: Sun, 5 Oct 2014 16:54:00 -0700
Message-ID: <CACsn0cn5hpBHiFyPkaJ5Fik-GaDPy7BNCxxw=cHu4BzrJSTr_A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: James Cloos <cloos@jhcloos.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pf5Z9S6_V4lERLKGJkOodtmG_hc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Oct 2014 23:54:06 -0000

On Fri, Oct 3, 2014 at 2:37 PM, James Cloos <cloos@jhcloos.com> wrote:
>>>>>> "HK" == Hubert Kario <hkario@redhat.com> writes:
>
> HK> Only about 1% of servers support only RC4 cipher, 1.5% if you're
> HK> using Firefox[1].
>
> When this first came up I test a few of them.  Some of the sites I
> tested had some sort of load balancing box listening on the main uri
> which redirected to the real servers.  In each of the cases of that
> sort where the redirecting box only supported rc4, the destinations
> all supported a reasonably modern set of ciphers.
>
> So the problem isn't just updating typical web servers, but also dealing
> with what are likely low-spec closed-source fronts.  It may be impossible
> for some of the rc4-only sites to fix that w/o replacing (probably over-
> priced) hardware.

Then that's what they are going to have to do at some point. SHOULD
pushes that point off with no reason.

>
> -JimC
> --
> James Cloos <cloos@jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin