----- Original Message -----
> From: "Brian Smith" <br...@briansmith.org>
> To: "mozilla's crypto code discussion list"
> <dev-tech-crypto@lists.mozilla.org>
> Sent: Monday, 30 June, 2014 12:23:41 AM
> Subject: Re: Road to RC4-free web (the case for YouTube without RC4)
>
> On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario <hka...@redhat.com> wrote:
>
> > Because of that, disabling RC4 should be possible for many users. The big
> > exception for that was YouTube video servers[4] which only recently gained
> > support for TLS_RSA_WITH_AES_128_GCM_SHA256.
> >
>
> Hi,
>
> I read your blog post at
> http://securitypitfalls.wordpress.com/2014/06/29/is-rc4-less, which is
> interesting. The blog post compares how enabling/disabling various cipher
> suites affects the percentage of sites that end up negotiating RC4.
> However, I noticed that you didn't measure how enabling/disabling various
> cipher suites affects how often Firefox uses ECDHE, DHE with a strong
> (>=1280 bit, at least), DHE with weak, or RSA key exchange.
If the question is, "does removing RC4 with adding extra ciphers gives up
PFS?", the answer is likely* yes, by 2%. But adding or removing ciphers
has small impact on PFS compared to the 20% elephant in the room.
* - those are simulated handshakes using OpenSSL
cipher order, so while AES to RC4 relation is
maintained, the relation between AES128 and
AES256 is not as well as relation between
DHE-AES128 and AES256, so in reality connection
using Firefox would likely end up with AES128
cipher while the below order shows AES256 ciphers.
Next month's data will include information
if the server appears to use server cipher
order or not so the simulations will match
reality more closely.
If we use following cipher order:
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES256-SHA',
'ECDHE-ECDSA-AES128-SHA',
'ECDHE-RSA-AES128-SHA',
'ECDHE-RSA-AES256-SHA',
'ECDHE-RSA-DES-CBC3-SHA',
'ECDHE-ECDSA-RC4-SHA',
'ECDHE-RSA-RC4-SHA',
'DHE-RSA-AES128-SHA',
'DHE-DSS-AES128-SHA',
'DHE-RSA-CAMELLIA128-SHA',
'DHE-RSA-AES256-SHA',
'DHE-DSS-AES256-SHA',
'DHE-RSA-CAMELLIA256-SHA',
'EDH-RSA-DES-CBC3-SHA',
'AES128-SHA',
'CAMELLIA128-SHA',
'AES256-SHA',
'CAMELLIA256-SHA',
'DES-CBC3-SHA',
'RC4-SHA',
'RC4-MD5'
Then simulated handshakes end with:
Selected ciphers Count Percent
-----------------------------+---------+------
AES128-SHA 23354 6.6545
AES256-SHA 48262 13.7519
CAMELLIA128-SHA 2 0.0006
CAMELLIA256-SHA 188 0.0536
DES-CBC3-SHA 996 0.2838
DHE-RSA-AES128-SHA 704 0.2006
DHE-RSA-AES256-SHA 105819 30.1522
DHE-RSA-CAMELLIA256-SHA 336 0.0957
ECDHE-ECDSA-AES128-GCM-SHA256 9192 2.6192
ECDHE-ECDSA-AES128-SHA 12 0.0034
ECDHE-ECDSA-RC4-SHA 1 0.0003
ECDHE-RSA-AES128-GCM-SHA256 40876 11.6473
ECDHE-RSA-AES128-SHA 172 0.049
ECDHE-RSA-AES256-SHA 45331 12.9167
ECDHE-RSA-DES-CBC3-SHA 252 0.0718
ECDHE-RSA-RC4-SHA 27726 7.9003
EDH-RSA-DES-CBC3-SHA 652 0.1858
RC4-MD5 9344 2.6625
RC4-SHA 37699 10.742
x:DHE 107511 30.6344
x:ECDHE 123562 35.208
x:kRSA 119845 34.1488
Removing
'ECDHE-ECDSA-RC4-SHA',
'ECDHE-RSA-RC4-SHA',
Doesn't change the compatibility:
x:FF 29 incompatible 39 0.0111
causes the servers to select following ciphers:
Selected ciphers Count Percent
-----------------------------+---------+------
AES128-SHA 23354 6.6545
AES256-SHA 48262 13.7519
CAMELLIA128-SHA 2 0.0006
CAMELLIA256-SHA 188 0.0536
DES-CBC3-SHA 996 0.2838
DHE-RSA-AES128-SHA 704 0.2006
DHE-RSA-AES256-SHA 105821 30.1528
DHE-RSA-CAMELLIA256-SHA 336 0.0957
ECDHE-ECDSA-AES128-GCM-SHA256 9192 2.6192
ECDHE-ECDSA-AES128-SHA 13 0.0037
ECDHE-RSA-AES128-GCM-SHA256 40878 11.6478
ECDHE-RSA-AES128-SHA 200 0.057
ECDHE-RSA-AES256-SHA 46972 13.3843
ECDHE-RSA-DES-CBC3-SHA 252 0.0718
EDH-RSA-DES-CBC3-SHA 652 0.1858
RC4-MD5 9344 2.6625
RC4-SHA 63744 18.1633
x:DHE 107513 30.6349
x:ECDHE 97507 27.7838
x:kRSA 145890 41.5701
So about 0.5% servers did select better cipher,
mostly ECDHE-RSA-AES256-SHA*. But at the "cost"
of selecting non PFS suites (by 7.4%)
leaving RC4 in place but adding ECDHE-RSA-AES128-SHA256
causes the negotiated ciphers to look like this:
Selected ciphers Count Percent
-----------------------------+---------+------
AES128-SHA 23347 6.6525
AES256-SHA 48261 13.7516
CAMELLIA128-SHA 2 0.0006
CAMELLIA256-SHA 188 0.0536
DES-CBC3-SHA 996 0.2838
DHE-RSA-AES128-SHA 703 0.2003
DHE-RSA-AES256-SHA 105815 30.1511
DHE-RSA-CAMELLIA256-SHA 336 0.0957
ECDHE-ECDSA-AES128-GCM-SHA256 9192 2.6192
ECDHE-ECDSA-AES128-SHA 12 0.0034
ECDHE-ECDSA-RC4-SHA 1 0.0003
ECDHE-RSA-AES128-GCM-SHA256 40839 11.6367
ECDHE-RSA-AES128-SHA 117 0.0333
ECDHE-RSA-AES128-SHA256 7456 2.1245
ECDHE-RSA-AES256-SHA 44696 12.7358
ECDHE-RSA-DES-CBC3-SHA 252 0.0718
ECDHE-RSA-RC4-SHA 21407 6.0997
EDH-RSA-DES-CBC3-SHA 652 0.1858
RC4-MD5 9344 2.6625
RC4-SHA 37302 10.6289
x:DHE 107506 30.6329
x:ECDHE 123972 35.3248
x:kRSA 119440 34.0334
That not only makes the servers select more secure
cipher, it also decreases the number of non-PFS
connections by small amount.
If we add the rest of SHA256 ciphers we get the
following listing:
Selected ciphers Count Percent
-----------------------------+---------+------
AES128-GCM-SHA256 1540 0.4388
AES128-SHA 18898 5.3848
AES128-SHA256 4436 1.264
AES256-SHA 42657 12.1548
AES256-SHA256 10724 3.0557
CAMELLIA128-SHA 1 0.0003
CAMELLIA256-SHA 173 0.0493
DES-CBC3-SHA 988 0.2815
DHE-RSA-AES128-GCM-SHA256 1482 0.4223
DHE-RSA-AES128-SHA 314 0.0895
DHE-RSA-AES128-SHA256 3 0.0009
DHE-RSA-AES256-SHA 75470 21.5045
DHE-RSA-AES256-SHA256 30620 8.7249
DHE-RSA-CAMELLIA256-SHA 295 0.0841
ECDHE-ECDSA-AES128-GCM-SHA256 9192 2.6192
ECDHE-ECDSA-AES128-SHA 12 0.0034
ECDHE-ECDSA-RC4-SHA 1 0.0003
ECDHE-RSA-AES128-GCM-SHA256 36095 10.285
ECDHE-RSA-AES128-SHA 117 0.0333
ECDHE-RSA-AES128-SHA256 6795 1.9362
ECDHE-RSA-AES256-SHA 44608 12.7107
ECDHE-RSA-DES-CBC3-SHA 252 0.0718
ECDHE-RSA-RC4-SHA 21109 6.0148
EDH-RSA-DES-CBC3-SHA 651 0.1855
RC4-MD5 8890 2.5331
RC4-SHA 35597 10.1431
x:DHE 108835 31.0116
x:ECDHE 118181 33.6747
x:kRSA 123904 35.3054
So while we don't gain on PFS front, we gain on RC4.
Disabling ECDHE+RC4 with SHA256 enabled paints
following picture:
Selected ciphers Count Percent
-----------------------------+---------+------
AES128-GCM-SHA256 1540 0.4388
AES128-SHA 18898 5.3848
AES128-SHA256 4436 1.264
AES256-SHA 42657 12.1548
AES256-SHA256 10724 3.0557
CAMELLIA128-SHA 1 0.0003
CAMELLIA256-SHA 173 0.0493
DES-CBC3-SHA 988 0.2815
DHE-RSA-AES128-GCM-SHA256 1482 0.4223
DHE-RSA-AES128-SHA 314 0.0895
DHE-RSA-AES128-SHA256 3 0.0009
DHE-RSA-AES256-SHA 75472 21.5051
DHE-RSA-AES256-SHA256 30620 8.7249
DHE-RSA-CAMELLIA256-SHA 295 0.0841
ECDHE-ECDSA-AES128-GCM-SHA256 9192 2.6192
ECDHE-ECDSA-AES128-SHA 13 0.0037
ECDHE-RSA-AES128-GCM-SHA256 36097 10.2855
ECDHE-RSA-AES128-SHA 140 0.0399
ECDHE-RSA-AES128-SHA256 6797 1.9367
ECDHE-RSA-AES256-SHA 46247 13.1777
ECDHE-RSA-DES-CBC3-SHA 252 0.0718
EDH-RSA-DES-CBC3-SHA 651 0.1855
RC4-MD5 8890 2.5331
RC4-SHA 55031 15.6806
x:DHE 108837 31.0122
x:ECDHE 98738 28.1346
x:kRSA 143338 40.843
Disabling RC4 completely with SHA256 enabled gives
following statistics:
Selected ciphers Count Percent
-----------------------------+---------+------
AES128-GCM-SHA256 1549 0.4414
AES128-SHA 37431 10.6657
AES128-SHA256 6244 1.7792
AES256-SHA 47065 13.4108
AES256-SHA256 12504 3.5629
CAMELLIA128-SHA 2 0.0006
CAMELLIA256-SHA 14917 4.2505
DES-CBC3-SHA 8558 2.4385
DHE-RSA-AES128-GCM-SHA256 1482 0.4223
DHE-RSA-AES128-SHA 329 0.0937
DHE-RSA-AES128-SHA256 3 0.0009
DHE-RSA-AES256-SHA 79680 22.7042
DHE-RSA-AES256-SHA256 31581 8.9987
DHE-RSA-CAMELLIA256-SHA 726 0.2069
ECDHE-ECDSA-AES128-GCM-SHA256 9192 2.6192
ECDHE-ECDSA-AES128-SHA 13 0.0037
ECDHE-RSA-AES128-GCM-SHA256 36099 10.2861
ECDHE-RSA-AES128-SHA 219 0.0624
ECDHE-RSA-AES128-SHA256 6811 1.9407
ECDHE-RSA-AES256-SHA 51919 14.7939
ECDHE-RSA-DES-CBC3-SHA 312 0.0889
EDH-RSA-DES-CBC3-SHA 668 0.1903
x:DHE 114469 32.617
x:ECDHE 104565 29.7949
x:kRSA 128270 36.5495
So we give up about 2% of PFS and gain 2% of DHE
for those 20% of RC4.
--
Regards,
Hubert Kario
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
