[Pkg-openssl-devel] Bug#778747: Bug#778747: openssl: RFC 7465 says RC4 is broken, never to be used

Kurt Roeckx kurt at roeckx.be
Fri Feb 20 21:50:20 UTC 2015 

On Fri, Feb 20, 2015 at 10:08:48PM +0100, Florian Schlichting wrote:
> On Fri, Feb 20, 2015 at 06:25:44PM +0100, Kurt Roeckx wrote:
> > On Fri, Feb 20, 2015 at 06:10:59PM +0100, Florian Schlichting wrote:
> > > What servers, and what clients are we talking about here?
> > 
> > You might want to look at those stats:
> > https://lists.fedoraproject.org/pipermail/security/2015-February/002069.html
> 
> I did, it's only about web servers and the numbers are not so different
> from the ones I quoted, so it only serves to reinforce my earlier
> argument, no?
> 
> | RC4 still remains as the 3rd most popular cipher, despite loosing 1.3%
> | share, at 80.5%. While servers that support only RC4 ciphers lost only
> | 0.07% it places them at an all time low of 0.79% (3712 servers). Still
> | a large part (13.8%) of servers prefer RC4 even if client supports
> | better ciphers, a drop of only 1.4%. Significant number of servers
> | also force RC4 in TLS1.1 or TLS1.2: 8.75% (drop of 0.7%).
> 
> | Supported Ciphers         Count     Percent
> | -------------------------+---------+-------
> ...
> | RC4                       377778    80.5871
> | RC4 Only                  3712      0.7918
> | RC4 Preferred             64613     13.7832
> | RC4 forced in TLS1.1+     41031     8.7527
> | x:FF 29 RC4 Only          541       0.1154
> | x:FF 29 RC4 Preferred     70622     15.065
> | x:FF 29 incompatible      136       0.029
> ...

One of the probloms is those servers that currently prefer/force RC4
if it's available.  That is administrators who have actually
configured things in such a way.  Removing RC4 from the default
will not fix any of them.  It's that 13.7% that is the problem.

Please note that that 80% is those servers that support it, it
doesn't say 80% of the connections will use that cipher.  Removing
RC4 from the default will most likely result in that percentage
dropping but will have very little effect on the negiotated
cipher.

The ssl-pulse stats might look more useful for that, since it
says 23.3% of the modern browsers will negiotate an RC4 cipher.
But it tests far less servers.  In any case both see the stats
drop in the order of 1% per month.

Please note that RC4 in the default configuration should never be
negiotated by modern clients and servers.  The problem is
administrators who think they know better changed somethign not to
use the defaults.  If we adjust the defaults it's not going to fix
anything.

I consider the support of SSLv3 a more serious problem.


Kurt

More information about the Pkg-openssl-devel mailing list