Hi Viktor, I disagree with a couple of points you make:
* Viktor Dukhovni <[email protected]> [141014 10:30]: > And in particular the "MUST NOT" for RC4 is also inapplicable with > opportunistic TLS. > > [...] > > 3. > SSL Protocol version recommendations. > > Once again with unauthenticated opportunistic TLS even SSL 3.0 or > TLS 1.0 is (much) better than cleartext. So the MUST NOT SSL 3.0 > and SHOULD NOT TLS 1.0 are too strong. So once again we have the whole 'opportunistic' discussion. I strongly disagree that both should be changed from MUST NOT to a SHOULD NOT or even something less. The whole point should be to deprecate SSLv3 and RC4 as soon as possible, no matter what. I do not think it does matter if the WG sees 'opportunistic' encryption as sufficient - both have to go. They are a real world security threat. In particular downgrade attacks on unauthenticated TLS will enable less-than-optimal security for server and client with SSLv3 and might enable various attack vectors. For example, the recent virtual host confusion attack [0] relies on this fact. I'm sure there are other attacks. If we're talking 'opportunistic' again: as far as I can remember SSLv3 is succeptible to replay attacks on anonymous diffie-hellman [1]. As said, I think we should deprecate RC4 and SSLv3 ASAP. I'm happy that Google does practically the same thing with deprecating SHA1: once their browser and android devices will issue a warning, every snakeoil CA needs to act or will loose customers. Sometimes you have to push to get good security widely deployed. Aaron [0] - http://bh.ht.vc/ [1] - https://www.schneier.com/paper-ssl.pdf
signature.asc
Description: Digital signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
