

Prohibiting RC4 Cipher Suites - jgrahamc
https://tools.ietf.org/html/rfc7465

======
AlyssaRowan
Thanks TLS WG! Great to see this one out the door.

Yes, this is a die-die-die draft, not a gentle transition. It will not go
gently into the night, but it's _well past_ time to disable RC4 in browsers
and servers completely. There have been more public attacks since the draft I
believe that there wasn't time to add, and of course, strong speculation that
intelligence agencies (notably the NSA) have a practical break of RC4 in the
wild.

If you manage a server, or you're on a browser, please go turn it off. Every
second you accept or use RC4 is a second your data, or your users' data, is
probably being leaked - and an attacker who records it will always be able to
read it later, when RC4 gets even weaker.

If your server accepts RC4, I believe you are no longer PCI-compliant (and a
_lot_ of banks will need to be made aware of this!). And if your server
accepts _only_ RC4, you made a _very_ bad call indeed.

[https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-2566](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-2566) needs to be upgraded in severity to at
least 4. Please badger NIST about this.

TLS v1.2 with ECDHE-RSA-AES128-GCM-SHA256 is a good replacement in most cases,
and is what the UTA BCP will recommend for common use - see the current draft
here: [https://tools.ietf.org/html/draft-ietf-uta-tls-
bcp-09](https://tools.ietf.org/html/draft-ietf-uta-tls-bcp-09)

The CHACHA20_POLY1305 AEAD is also very suitable as a replacement; although
it, and its usage in TLS clients and servers, is currently draft, that draft
is already live in Chrome and on various servers, including in BoringSSL and
LibreSSL and delivers extremely good performance (and 256-bit workfactor
security) where AES acceleration is not available.

If you absolutely must talk to Ye Olde Windows XP, 3DES is your last choice,
but it's a crappy choice. Windows XP is long out of support anyway.

I hope we can see rapid adoption in browsers, or at the very least, the big
fat red warning pages usage of RC4 actually deserves.

Relevant bug for Mozilla:
[https://bugzilla.mozilla.org/show_bug.cgi?id=999544](https://bugzilla.mozilla.org/show_bug.cgi?id=999544)
\- the initial approach it's trying is to include a whitelist of TLS1.0&non-
RC4 intolerant servers and fallback only for them, I think with a warning.
There are not very many.

Chrome:
[https://code.google.com/p/chromium/issues/detail?id=375342](https://code.google.com/p/chromium/issues/detail?id=375342)

Not sure about IE, but it's on fallback there already so let's hope.

