----- Original Message ----- > From: "Viktor Dukhovni" <openssl-us...@dukhovni.org> > To: openssl-dev@openssl.org > Sent: Monday, 31 March, 2014 3:09:12 PM > Subject: Re: Insecure DEFAULT cipher set > > On Mon, Mar 31, 2014 at 08:49:37AM -0400, Hubert Kario wrote: > > > > There is no benefit in excluding RC4-SHA1 from the default list. > > > When servers support stronger algorithms, those will be negotiated. > > > All you get by exclusing RC4-SHA1 is loss of interoperability, which > > > may be OK for dedicated environments, but is not a good DEFAULT. > > > > Problem is that RC4 is providing comparable security to export grade > > suites. > > It is essentially broken. > > The situation is not quite that dire, and the solution is not to > *remove* RC4 from the DEFAULT cipherlist (breaking interoperability), > but for servers to stop explicitly preferring it. OpenSSL has for a long > time placed RC4 *last* in the medium cipherlist, which is about right. > > > https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what > > At the moment, the attack is not yet practical because it > requires access to millions and possibly billions of copies of > the same data encrypted using different keys. A browser would > have to make that many connections to a server to give the > attacker enough data. A possible exploitation path is to somehow > instrument the browser to make a large number of connections, > while a man in the middle is observing and recording the traffic.
Note that this is just the effect of most obvious, easiest to perform attack. Attacks which don't require millions of copies of the same data encrypted with different keys will undoubtedly be harder to perform. But by how much? Even an automated system which connects once a minute to a server will generate over half a million connections after a year. If the password resides in "unfortunate" bytes with high biases, the attack requires just 30 times more data to recover parts of the password. Even if that means 2^10 more computational power, the attack is certainly in the realm of possibility for any determined adversary. As such, RC4 should be considered as secure as export grade cipher suites. > I am not arguing for continuing widespread use of RC4, I am arguing > against unnecessary incompatible changes in the DEFAULT cipherlist. And I'm primarily arguing about future releases of openssl (1.0.3 or 1.1.0, possibly 1.0.2). For older branches I'd like to see those changes incorporated too, but as you say, disabling RC4 there might be too risky. -- Regards, Hubert Kario BaseOS QE Security team Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
