Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Ronald del Rosario <rrosario@five9.com> Thu, 09 October 2014 17:10 UTC

Return-Path: <rrosario@five9.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D2A71AD3C2 for <tls@ietfa.amsl.com>; Thu, 9 Oct 2014 10:10:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S_cT_PyvNaRY for <tls@ietfa.amsl.com>; Thu, 9 Oct 2014 10:10:00 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0139.outbound.protection.outlook.com [65.55.169.139]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B0771AD3C4 for <tls@ietf.org>; Thu, 9 Oct 2014 10:06:05 -0700 (PDT)
Received: from BY2FFO11FD023.protection.gbl (10.1.14.33) by BY2FFO11HUB006.protection.gbl (10.1.14.164) with Microsoft SMTP Server (TLS) id 15.0.1039.16; Thu, 9 Oct 2014 17:06:02 +0000
Received: from mx02.five9.com (198.105.204.3) by BY2FFO11FD023.mail.protection.outlook.com (10.1.15.212) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Thu, 9 Oct 2014 17:06:02 +0000
Received: from MB03.five9.com (10.7.8.143) by mx02.five9.com (10.7.15.112) with Microsoft SMTP Server (TLS) id 14.3.158.1; Thu, 9 Oct 2014 10:05:10 -0700
Received: from MB02.five9.com ([fe80::ede6:8312:5207:4046]) by mb03.five9.com ([fe80::4d18:3a9c:2936:eea8%16]) with mapi id 14.03.0158.001; Thu, 9 Oct 2014 10:06:01 -0700
From: Ronald del Rosario <rrosario@five9.com>
To: "mrex@sap.com" <mrex@sap.com>, Hubert Kario <hkario@redhat.com>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
Thread-Index: AQHP4aKTa2Q4hqaWq0uxWUf2L1RqIJwj+Q2AgAQKQ4A=
Date: Thu, 09 Oct 2014 17:06:00 +0000
Message-ID: <D05C0DA3.159B2%rrosario@five9.com>
References: <1381566393.7039054.1412626641999.JavaMail.zimbra@redhat.com> <20141006202411.5FB491AEB1@ld9781.wdf.sap.corp>
In-Reply-To: <20141006202411.5FB491AEB1@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [10.7.8.130]
Content-Type: multipart/related; boundary="_004_D05C0DA3159B2rrosariofive9com_"; type="multipart/alternative"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:198.105.204.3; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(24454002)(377454003)(199003)(189002)(561944003)(77096002)(44976005)(83506001)(53416004)(92726001)(67866002)(86362001)(16236675004)(46102003)(19580405001)(50986999)(84326002)(64706001)(2656002)(20776003)(99936001)(92566001)(87936001)(21056001)(15975445006)(76176999)(66926002)(54356999)(575784001)(17760045003)(512944002)(19580395003)(85852003)(80022003)(15202345003)(15974865002)(19627595001)(19617315012)(76482002)(31966008)(2501002)(18206015026)(230783001)(71186001)(85306004)(95666004)(106466001)(120916001)(106116001)(36756003)(6806004)(99396003)(107046002)(4396001)(85436002)(24704002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2FFO11HUB006; H:mx02.five9.com; FPR:; MLV:sfv; PTR:mx02.five9.com; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY2FFO11HUB006;
X-Forefront-PRVS: 0359162B6D
Received-SPF: Pass (protection.outlook.com: domain of five9.com designates 198.105.204.3 as permitted sender) receiver=protection.outlook.com; client-ip=198.105.204.3; helo=mx02.five9.com;
Authentication-Results: spf=pass (sender IP is 198.105.204.3) smtp.mailfrom=rrosario@five9.com;
X-OriginatorOrg: five9.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vBgsdKB9oSkZBSUtpPrqVtXafcw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 17:10:03 -0000

"I'm not sure how representative that cloudflare statistic is.

But if this is anywhere near the real numbers, that the current
"MUST NOT" for server would be clear fear-mongering rather than
providing the target audience a sensible information about the
trade-off and realistic perspective on the insignificance of
the perceived threat.

-Martin”

+1

I live in a browser-integration world (CRM, Softphone clients, etc.) and disabling support for RC4 will be a burden since we still have a big percentage of customers using WindowsXP/IE6 (Obsolete clients) due to legacy custom integrations they are running.

I feel that making RC4 a "MUST NOT” and ending up as an IETF Standard is too much fear-mongering.

Best,

Ron F. del Rosario
Information Security Officer

[cid:D8C7FEEC-B79B-4830-9898-1599B9F2269E]

Five9, Inc.
Cloud Contact Center Software
4000 Executive Pkwy, Ste 400 San Ramon, CA 94583
www.Five9.com<http://www.five9.com/>

From: Martin Rex <mrex@sap.com<mailto:mrex@sap.com>>
Reply-To: "mrex@sap.com<mailto:mrex@sap.com>" <mrex@sap.com<mailto:mrex@sap.com>>
Date: Monday, October 6, 2014 at 1:24 PM
To: Hubert Kario <hkario@redhat.com<mailto:hkario@redhat.com>>
Cc: "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Hubert Kario wrote:

My issue is with the IMHO bogus "MUST NOT" for servers.
Servers have no control over the client behaviour, and the current
proposal calls for an unconditional hard failure (equals to
"come back in clear text") rather than interoperating with an
RC4-based TLS cipher suites with installed base clients.

thing is that only very specific clients do advertise only RC4,
far less than there are RC4 only servers. Cloudflare saw on the
order of 0.000002% of connections end up with RC4:
http://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4/
All from long obsolete clients.
Previously they saw on the order of 0.0009%:
http://blog.cloudflare.com/killing-rc4-the-long-goodbye/


I'm not sure how representative that cloudflare statistic is.

But if this is anywhere near the real numbers, that the current
"MUST NOT" for server would be clear fear-mongering rather than
providing the target audience a sensible information about the
trade-off and realistic perspective on the insignificance of
the perceived threat.

-Martin

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls


________________________________

CONFIDENTIALITY NOTICE: This e-mail and any files attached may contain confidential information of Five9 and/or its affiliated entities. Access by the intended recipient only is authorized. Any liability arising from any party acting, or refraining from acting, on any information contained in this e-mail is hereby excluded. If you are not the intended recipient, please notify the sender immediately, destroy the original transmission and its attachments and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Copyright in this e-mail and any attachments belongs to Five9 and/or its affiliated entities.