----- Original Message -----
From: "Nikos Mavrogiannopoulos" <nmav(a)redhat.com>
To: "Hubert Kario" <hkario(a)redhat.com>
Cc: "Tomas Mraz" <tmraz(a)redhat.com>, security(a)lists.fedoraproject.org
Sent: Tuesday, 6 May, 2014 1:17:13 PM
Subject: Re: Fedora crypto policy vs the real world Was: available crypto policies
On Tue, 2014-05-06 at 06:41 -0400, Hubert Kario wrote:
> > So no, Windows won't disable RC4 support by default.
> nitpick: Windows 7 doesn't disable RC4 support by default.
> Windows 8 does disable RC4 by default:
I don't think microsoft would be held as an example, but still they do
negotiate RC4, as they re-try connecting using RC4 if the first
handshake fails. From a security point of view, their change is useless,
as if I can attack RC4, I can simply make the first attempt to connect
fail, and attack the second that includes RC4.
Yes, for a dedicated attack, it does not change anything, as it is performing
man in the middle anyway. It does help against passive attacker. But I agree,
connection retry with different ciphers is bad idea.
Nevertheless, we cannot even do what they do (i.e., reconnect using
as fallback). What we do is to set the bar to either allow RC4 or have a
failed connection, and thus force a plaintext session, that is worse
Sorry, but how does that force a plaintext session?
There's no plaintext fallback for HTTP. Over HTTP you get a redirection to
HTTPS site that simply won't work, no fallback. If the attacker uses sslstrip
and you won't notice lack of padlock that's not the fault of RC4.
For connections like LDAP, SMTP, POP3 or IMAP you configure it once to either
use or not use SSL. So that's only configuration time attack.
And applications which use opportunistic encryption shouldn't use default
cipher order anyway (as default won't ever have anonymous DH).
Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic