On Mon, Jun 30, 2014 at 1:56 AM, Kurt Roeckx <k...@roeckx.be> wrote: > On 2014-06-30 02:35, Hubert Kario wrote: > >> The benefits of ECDHE outweigh the risks of using RC4, >>> >> >> I have to disagree here. Even 1024 bit DHE requires a targeted attack at >> ~80 bit >> complexity. Currently we see RC4 at around 56 bit, with a completely >> unoptimized >> attack... >> > > Do you have a reference for those 56 bit? You're not talking about the > old export ciphers I hope? I haven't seen anything saying that the 128 bit > RC4 has a complexity of 56 bit. If it's really at 56 bit, we should > disable it everywhere now, no matter if it breaks things or not. > > I think we should do all that's possible to avoid RC4. I think that for > now we should follow Microsoft in not having RC4 in the initial handshake > and if fails retry with RC4 enabled. It's my understanding that that > should reduce RC4 usage from 20% of the sites to 1%. >
I would welcome a patch that does that. I think initially we should do it without disabling TLS_ECDHE_*_WITH_RC4_*, instead only disabling TLS_RSA_WITH_RC4_*, so that we don't push sites that choose TLS_ECDHE_*_WITH_RC4_* to using non-ephemeral key exchange. I think, in parallel with that, we can figure out why so many sites are still using TLS_ECDHE_*_WITH_RC4_* instead of TLS_ECDHE_*_WITH_AES* and start the technical evangelism efforts to help them. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
