Re: [Uta] On prohibiting RC4
Andrei Popov <Andrei.Popov@microsoft.com> Fri, 07 March 2014 19:22 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AF8C1A01E4 for <uta@ietfa.amsl.com>; Fri, 7 Mar 2014 11:22:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEyCGKJVRGiK for <uta@ietfa.amsl.com>; Fri, 7 Mar 2014 11:22:53 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0143.outbound.protection.outlook.com [207.46.163.143]) by ietfa.amsl.com (Postfix) with ESMTP id 003D71A023A for <uta@ietf.org>; Fri, 7 Mar 2014 11:22:52 -0800 (PST)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BL2PR03MB592.namprd03.prod.outlook.com (10.255.109.35) with Microsoft SMTP Server (TLS) id 15.0.893.10; Fri, 7 Mar 2014 19:22:47 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.0893.001; Fri, 7 Mar 2014 19:22:47 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "Salz, Rich" <rsalz@akamai.com>, Alyssa Rowan <akr@akr.io>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [Uta] On prohibiting RC4
Thread-Index: Ac8564QKs0rdCOVSTiywj6IZRlSaLAADiv8AAAJlVQAADIaAwA==
Date: Fri, 07 Mar 2014 19:22:46 +0000
Message-ID: <147c6c280e2044ac97624762410872ff@BL2PR03MB419.namprd03.prod.outlook.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C711FB9AAD73@USMBX1.msg.corp.akamai.com> <5319AF96.7000407@akr.io> <2A0EFB9C05D0164E98F19BB0AF3708C711FB9AADD7@USMBX1.msg.corp.akamai.com>
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711FB9AADD7@USMBX1.msg.corp.akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::3]
x-forefront-prvs: 014304E855
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(189002)(13464003)(199002)(377454003)(81686001)(81816001)(79102001)(74316001)(76576001)(15975445006)(74366001)(81542001)(76796001)(65816001)(80022001)(74706001)(33646001)(63696002)(19580405001)(80976001)(83322001)(19580395003)(76482001)(85306002)(2656002)(92566001)(93136001)(76786001)(81342001)(97186001)(46102001)(47446002)(69226001)(4396001)(53806001)(86362001)(93516002)(74662001)(74502001)(77982001)(87266001)(95666003)(59766001)(90146001)(50986001)(85852003)(51856001)(83072002)(74876001)(56776001)(54316002)(56816005)(87936001)(47976001)(94946001)(31966008)(94316002)(47736001)(49866001)(86612001)(54356001)(97336001)(95416001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB592; H:BL2PR03MB419.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ee43::3; FPR:FC5EFDEF.A6F2A7E9.FDD57580.4CE4D2C1.203DA; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/aliLYcyv-Y6ddcOX_-quZ_5pnKw
Subject: Re: [Uta] On prohibiting RC4
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 19:22:55 -0000
> It depends on what you're concerned about. From a global view, I'm concerned about perpass. From a commercial view, I'm perhaps more worried about my customers getting through to me. Are you dealing with a significant number of RC4-only TLS clients? When we tried to disable RC4 altogether here at MS, the issues we ran into were mostly with the TLS servers that would not speak anything but RC4 (not just web servers, but other applications such as e-mail). We were nevertheless able to have IE not offer RC4 on the initial connection attempt. If adopted, the RC4 deprecation draft would hopefully send a strong message to the industry and help us phase out RC4 sooner. Cheers, Andrei -----Original Message----- From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Salz, Rich Sent: Friday, March 7, 2014 4:47 AM To: Alyssa Rowan; uta@ietf.org Subject: Re: [Uta] On prohibiting RC4 > With respect, I think he's simply wrong, because (and we've been over > this ground previously on this list, in December/January) passive breaks are a much greater threat than active BEAST attacks. It depends on what you're concerned about. From a global view, I'm concerned about perpass. From a commercial view, I'm perhaps more worried about my customers getting through to me. > I have heard from sources I trust that NSA can passively crack RC4 in > SSL/TLS in or about real-time: they are apparently doing so en-masse, > and (importantly!) to historically-captured traffic. ... If so, they must have really liked people switching to it to avoid the BEAST active attack - a mistake we should not make. You're not seriously expecting me to take this undocumented assertion without skepticism, are you? > BEAST attacks are active, and perpass normally has no means to perform them. > That is not to say that those active attacks do not pose a risk, but > that they pose a lower risk Not everyone feels this way. > so I assume you're simply playing Devil's Advocate here? No. > If you have any specific points or counterpoints, I'm sure we'd all love to hear them. I'll wait until the minutes are published which will hopefully contain ekr's view which (rightfully) carries more weight than mine. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
- Re: [Uta] On prohibiting RC4 Alyssa Rowan
- [Uta] On prohibiting RC4 Salz, Rich
- Re: [Uta] On prohibiting RC4 Alyssa Rowan
- Re: [Uta] On prohibiting RC4 Salz, Rich
- Re: [Uta] On prohibiting RC4 Salz, Rich
- Re: [Uta] On prohibiting RC4 Alyssa Rowan
- Re: [Uta] On prohibiting RC4 Andrei Popov
- Re: [Uta] On prohibiting RC4 Franck Martin
- Re: [Uta] On prohibiting RC4 Joe St Sauver
- Re: [Uta] On prohibiting RC4 Yaron Sheffer
- Re: [Uta] On prohibiting RC4 Martin Thomson
- Re: [Uta] On prohibiting RC4 Yaron Sheffer
- Re: [Uta] On prohibiting RC4 Martin Thomson
- Re: [Uta] On prohibiting RC4 Andrei Popov