The End of RC4 Cipher

Rarely you come across an RFC which prohibits a technology from usage. The RFCs becomes standards only because of their usage so when an RFC states that a technology should not be used then the probability of usage is what decides whether it will be standard or not.

The proposed Internet Draft Prohibiting RC4 Cipher Suites in process to become RFC is such a story which is so un IETF. The proposed document in the standards track requires that Transport Layer Security (TLS) client and servers never negotiate the use of RC4 cipher suites when they establish connections and it applies to all TLS versions, and updates [RFC5246], [RFC4346], and [RFC2246]

This is being done in the background of Snowden revealing that NSA was decrypting messages on real time basis and further google & Microsoft putting their weights behind it. Google dubbed it as POODLE – short for Padding Oracle On Downgraded Legacy Encryption. It is a blunder within the blueprints of SSL 3.0 rather than a software bug, so it affects any product following the protocol – from Google Chrome and Mozilla Firefox to Microsoft Internet Explorer.

The detail of how Poodle can happen is given here

The suggested change is simple. It requires that clients should stop listing RC4 in the ClientHello message, while servers must not select RC4 on client requests. As the document notes, if the client insists on RC4, the TLS server must terminate the handshake, and may send the “insufficient_security” fatal alert back to the client.

The time limit is till Dec 10 to post comments on this draft. May be you want to say something.

The End of RC4 Cipher

Leave a Reply

Your email address will not be published. Required fields are marked *