

The Web is World-Wide, or who still needs RC4? - jgrahamc
http://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4

======
sitkack
Youtube _requires_ RC4

    
    
          sslscan r18---sn-nx57yn7r.googlevideo.com
                           _
                   ___ ___| |___  ___ __ _ _ __
                  / __/ __| / __|/ __/ _` | '_ \
                  \__ \__ \ \__ \ (_| (_| | | | |
                  |___/___/_|___/\___\__,_|_| |_|
        
                          Version 1.8.0
                     http://www.titania.co.uk
                Copyright Ian Ventura-Whiting 2009
        
        Testing SSL server r18---sn-nx57yn7r.googlevideo.com on port 443
        
          Supported Server Cipher(s):
            Rejected  N/A              SSLv2  168 bits  DES-CBC3-MD5
            Rejected  N/A              SSLv2  56 bits   DES-CBC-MD5
            Rejected  N/A              SSLv2  40 bits   EXP-RC2-CBC-MD5
            Rejected  N/A              SSLv2  128 bits  RC2-CBC-MD5
            Rejected  N/A              SSLv2  40 bits   EXP-RC4-MD5
            Rejected  N/A              SSLv2  128 bits  RC4-MD5
            Rejected  N/A              SSLv3  128 bits  ADH-SEED-SHA
            Rejected  N/A              SSLv3  128 bits  DHE-RSA-SEED-SHA
            Rejected  N/A              SSLv3  128 bits  DHE-DSS-SEED-SHA
            Rejected  N/A              SSLv3  128 bits  SEED-SHA
            Rejected  N/A              SSLv3  256 bits  ADH-AES256-SHA
            Rejected  N/A              SSLv3  256 bits  DHE-RSA-AES256-SHA
            Rejected  N/A              SSLv3  256 bits  DHE-DSS-AES256-SHA
            Rejected  N/A              SSLv3  256 bits  AES256-SHA
            Rejected  N/A              SSLv3  128 bits  ADH-AES128-SHA
            Rejected  N/A              SSLv3  128 bits  DHE-RSA-AES128-SHA
            Rejected  N/A              SSLv3  128 bits  DHE-DSS-AES128-SHA
            Rejected  N/A              SSLv3  128 bits  AES128-SHA
            Rejected  N/A              SSLv3  168 bits  ADH-DES-CBC3-SHA
            Rejected  N/A              SSLv3  56 bits   ADH-DES-CBC-SHA
            Rejected  N/A              SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
            Rejected  N/A              SSLv3  128 bits  ADH-RC4-MD5
            Rejected  N/A              SSLv3  40 bits   EXP-ADH-RC4-MD5
            Rejected  N/A              SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
            Rejected  N/A              SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
            Rejected  N/A              SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
            Rejected  N/A              SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
            Rejected  N/A              SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
            Rejected  N/A              SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
            Rejected  N/A              SSLv3  168 bits  DES-CBC3-SHA
            Rejected  N/A              SSLv3  56 bits   DES-CBC-SHA
            Rejected  N/A              SSLv3  40 bits   EXP-DES-CBC-SHA
            Rejected  N/A              SSLv3  40 bits   EXP-RC2-CBC-MD5
            Accepted  SSLv3  128 bits  RC4-SHA
            Rejected  N/A              SSLv3  128 bits  RC4-MD5
            Rejected  N/A              SSLv3  40 bits   EXP-RC4-MD5
            Rejected  N/A              SSLv3  0 bits    NULL-SHA
            Rejected  N/A              SSLv3  0 bits    NULL-MD5
            Rejected  N/A              TLSv1  128 bits  ADH-SEED-SHA
            Rejected  N/A              TLSv1  128 bits  DHE-RSA-SEED-SHA
            Rejected  N/A              TLSv1  128 bits  DHE-DSS-SEED-SHA
            Rejected  N/A              TLSv1  128 bits  SEED-SHA
            Rejected  N/A              TLSv1  256 bits  ADH-AES256-SHA
            Rejected  N/A              TLSv1  256 bits  DHE-RSA-AES256-SHA
            Rejected  N/A              TLSv1  256 bits  DHE-DSS-AES256-SHA
            Rejected  N/A              TLSv1  256 bits  AES256-SHA
            Rejected  N/A              TLSv1  128 bits  ADH-AES128-SHA
            Rejected  N/A              TLSv1  128 bits  DHE-RSA-AES128-SHA
            Rejected  N/A              TLSv1  128 bits  DHE-DSS-AES128-SHA
            Rejected  N/A              TLSv1  128 bits  AES128-SHA
            Rejected  N/A              TLSv1  168 bits  ADH-DES-CBC3-SHA
            Rejected  N/A              TLSv1  56 bits   ADH-DES-CBC-SHA
            Rejected  N/A              TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
            Rejected  N/A              TLSv1  128 bits  ADH-RC4-MD5
            Rejected  N/A              TLSv1  40 bits   EXP-ADH-RC4-MD5
            Rejected  N/A              TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
            Rejected  N/A              TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
            Rejected  N/A              TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
            Rejected  N/A              TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
            Rejected  N/A              TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
            Rejected  N/A              TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
            Rejected  N/A              TLSv1  168 bits  DES-CBC3-SHA
            Rejected  N/A              TLSv1  56 bits   DES-CBC-SHA
            Rejected  N/A              TLSv1  40 bits   EXP-DES-CBC-SHA
            Rejected  N/A              TLSv1  40 bits   EXP-RC2-CBC-MD5
            Accepted  TLSv1  128 bits  RC4-SHA
            Rejected  N/A              TLSv1  128 bits  RC4-MD5
            Rejected  N/A              TLSv1  40 bits   EXP-RC4-MD5
            Rejected  N/A              TLSv1  0 bits    NULL-SHA
            Rejected  N/A              TLSv1  0 bits    NULL-MD5
        
          Prefered Server Cipher(s):
            SSLv3  128 bits  RC4-SHA
            TLSv1  128 bits  RC4-SHA
        
          SSL Certificate:
            Version: 2

~~~
valarauca1
This needs more attention. Its total bullshit. I can't watch youtube videos in
Firefox 29 because of this.. Well with RC4 disabled. Currently I use Opera for
my youtube watching, and firefox for my general browsing. Its a hassle and
should be fixed. RC4 is broken [citation not given because shouldn't be
needed], its been broken for a while and isn't gonna fix itself any time soon.

~~~
rentnorove
For what it's worth, I have the same issue and have been watching Youtube
videos in FF by falling back to the HTTP version. It's not as if the TLS was
offering any privacy anyway.

------
ColinDabritz
Wonderful and fascinating analysis. Thanks for the data.

You can see why SSL proxies would prefer a lighter weight protocol, hijacking
all that traffic is taxing! On the other hand, if you're in the middle for
presumably legitimate reasons, you have a responsibility to protect those
connections. On the other hand, a malicious man-in-the-middle would want to go
undetected, and probably does a better job of passing along the same protocol
the client is using. It's time to replace those ancient proxies, and perhaps
consider not restricting your users freedoms. A win-win.

~~~
schoen
Jeff Jarmoc had a great talk about this at BlackHat Europe:

[http://www.secureworks.com/cyber-threat-
intelligence/threats...](http://www.secureworks.com/cyber-threat-
intelligence/threats/transitive-trust/) [https://media.blackhat.com/bh-
eu-12/Jarmoc/bh-eu-12-Jarmoc-S...](https://media.blackhat.com/bh-
eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-Slides.pdf)

He described the risk of outsourcing cryptographic security to a proxy --
though he was more focused on the fact that the proxy might not be as cautious
or as correct about validating certs as your client, rather than that the
proxy might have a different ciphersuite policy than your client. But he does
explicitly mention this risk, including the idea that the proxy may be using a
weaker ciphersuite. (The example he gives is PFS, where your client and the
server might both support PFS ciphersuites, but the proxy might not, so you
don't actually get PFS.)

~~~
voltagex_
Yep. Things like Bluecoat were vulnerable to reverse-heartbleed, even if the
servers/clients behind them weren't.

------
xenophonf
Don't know about the rest of you, but the most secure cipher I can support on
older combinations of Apache and OpenSSL is RC4. I'm (slowly) replacing these
old installs with Apache 2.4 and OpenSSL 1.0.1, which gives me TLSv1.2 and
newer cipher suites. I'd imagine that many web servers and not a few browsers
are stuck at TLSv1.0, where RC4 is more secure than other cipher suites
because of BEAST.

------
rikacomet
Verisign still uses RC4 in its certificates. While most of the trusted
certificates have moved to SHA-1 and SHA-2, Verisign still uses RC4 in some
places.

~~~
agwa
You're confusing encryption algorithms (RC4) and hash algorithms (SHA-1 and
SHA-2). Certificates do not use an encryption algorithm nor do they influence
your choice of encryption algorithm.

~~~
rikacomet
check the security certificate here, I might be wrong about the exact nature,
but the last I heard, MD5 and RC4 in certificates were bad.

[https://www.unionbankonline.co.in/](https://www.unionbankonline.co.in/)

~~~
schoen
I don't see MD5 anywhere in that certificate. I think that you are confusing
the _ciphersuite_ (which is negotiated dynamically between the client and the
server on each connection, and is actually used to directly protect and
authenticate the content of the communication) with the _certificate_ (which
is issued infrequently -- typically once per year or once every other year --
by a certificate authority and used to authenticate the server's public key,
which is one prerequisite for secure session negotiation).

The signature algorithm in the certificate itself is sha1WithRSAEncryption
(try exporting the cert and running "openssl x509 -in their_cert.pem -text
-noout" for a summary of the content). I also don't see RC4 anywhere in the
cert.

It is true that the _web server_ is using RC4 to protect the TLS connections
that it negotiates (probably inadvisedly!), and that MD5 is also used in its
negotiated ciphersuite, but the use of these algorithms isn't specified,
required, recommended, or assumed anywhere in the digital certificate that the
server is presenting to authenticate the connection. Rather, the choice of RC4
(and MD5) is made dynamically during the ciphersuite negotiation between the
client and server on each connection, presumably based on the (somewhat
obsolete) server defaults that the bank has chosen.

I agree with the previous commenter that RC4 can't be specified (or used) in
certificates, though MD5 can be used as part a signature method within the
certificate, but happens not to be in your example.

~~~
rikacomet
Ah that clears up a few things for me. Thanks.

