Road to RC4-free web (the case for YouTube without RC4)

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Road to RC4-free web (the case for YouTube without RC4)

Kurt Roeckx
On 2014-07-10 13:53, Henri Sivonen wrote:
> On Tue, Jul 1, 2014 at 11:58 PM, Brian Smith <[hidden email]> wrote:
>> I am interested in discussing what we can do to help more server side
>> products get better cipher suites by default, and on deciding whether we
>> add support for ChaCha20-Poly1304
>
> Out of curiosity, what's holding back a decision to implement
> ChaCha20-Poly1305?

I think implementation already exist, but there currently is no standard
yet on how to do it.  There are various drafts:
https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04
https://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-02
https://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-01

But the states of them are currently unclear to me.

There is also an old patch for NSS available at:
https://bugzilla.mozilla.org/show_bug.cgi?id=917571

I'm not sure that that patch is current or not.

An other alternative is using curve25519.  It's also not standardized
yet, but at this time it seems more likely to be standardized first.

Anyway, using AES-GCM should be what you want to use now.


Kurt

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Road to RC4-free web (the case for YouTube without RC4)

Brian Smith-19
In reply to this post by Hubert Kario
On Thu, Jul 10, 2014 at 5:00 AM, Hubert Kario <[hidden email]> wrote:
> ----- Original Message -----
>> From: "Brian Smith" <[hidden email]>

<snip>

>> However, it is likely that crypto libraries that make the two changes above
>> will also have support for TLS_ECDHE_*_WITH_AES_*_GCM cipher suites too.
>> So, I hope that they also enable TLS_ECDHE_*_WITH_AES_*_GCM at the same
>> time they deploy these changes.

<snip>

> What basis do you have to assume that server administrators will actually
> upgrade their Apache/nginx/lighttpd/OpenSSL/etc. installations?

In this thread you pointed out that a number of websites had updated
their servers to add TLS_RSA_WITH_AES*_GCM* and disable
TLS_RSA_WITH_*_CBC_*, so that Firefox now only negotiates RC4 with
them when it could be negotiating AES-GCM. The fact that they updated
their servers to add non-ECDHE AES-GCM support is good evidence that
these server administrators are paying attention and are likely to
update if/when their server software vendor gives it to them if it
solves a need (like improving what Firefox negotiates), right?

Regarding your request about how to write the addon: I don't have time
to work on that addon, but I know it is possible to write it.

Cheers,
Brian
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Road to RC4-free web (the case for YouTube without RC4)

Hubert Kario
----- Original Message -----

> From: "Brian Smith" <[hidden email]>
> To: "mozilla's crypto code discussion list" <[hidden email]>
> Cc: [hidden email]
> Sent: Thursday, 10 July, 2014 9:41:43 PM
> Subject: Re: Road to RC4-free web (the case for YouTube without RC4)
>
> On Thu, Jul 10, 2014 at 5:00 AM, Hubert Kario <[hidden email]> wrote:
> > ----- Original Message -----
> >> From: "Brian Smith" <[hidden email]>
>
> <snip>
>
> >> However, it is likely that crypto libraries that make the two changes
> >> above
> >> will also have support for TLS_ECDHE_*_WITH_AES_*_GCM cipher suites too.
> >> So, I hope that they also enable TLS_ECDHE_*_WITH_AES_*_GCM at the same
> >> time they deploy these changes.
>
> <snip>
>
> > What basis do you have to assume that server administrators will actually
> > upgrade their Apache/nginx/lighttpd/OpenSSL/etc. installations?
>
> In this thread you pointed out that a number of websites had updated
> their servers to add TLS_RSA_WITH_AES*_GCM* and disable
> TLS_RSA_WITH_*_CBC_*, so that Firefox now only negotiates RC4 with
> them when it could be negotiating AES-GCM. The fact that they updated
> their servers to add non-ECDHE AES-GCM support is good evidence that
> these server administrators are paying attention and are likely to
> update if/when their server software vendor gives it to them if it
> solves a need (like improving what Firefox negotiates), right?

The non-ECDHE AES-GCM is "just" youtube (which is the thorn in my side).

ECDHE with non-AES-GCM (but with SHA256) is 2% of Internet.
Those connections could use AES instead of RC4 (and actually increase % of
sites that negotiate PFS ssuites), with no change other than addition of
single cipher suite to Firefox: ECDHE-RSA-AES128-SHA256.

But I want to add those additional ciphers so that:
 * I can watch youtube with RC4 less Firefox
 * others (when using the extension/settings) have maximum interoperability
   after disabling RC4

> Regarding your request about how to write the addon: I don't have time
> to work on that addon, but I know it is possible to write it.

I appreciate the gesture, but I'm asking for pointers to documentation
or other addons that do something similar so that I could write it.

--
Regards,
Hubert Kario
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Road to RC4-free web (the case for YouTube without RC4)

Brian Smith-19
In reply to this post by Hubert Kario
On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario <[hidden email]> wrote:

> The number of sites that prefer RC4 while still supporting other ciphers
> are
> very high (18.6% in June[1], effectively 21.3% for Firefox[6]) and not
> changing much. The percent of servers that support only RC4 is steadily
> dropping (1.771% in April[3], 1.194% in May[2], 0.985% in June[1]).
>
> Because of that, disabling RC4 should be possible for many users. The big
> exception for that was YouTube video servers[4] which only recently gained
> support for TLS_RSA_WITH_AES_128_GCM_SHA256.
>

Sorry that I couldn't say more earlier, but please see this message from
Adam Langley of Google about YouTube working on
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:

http://www.ietf.org/mail-archive/web/tls/current/msg14112.html

"And TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 support is coming -- it's already
enabled in some locations."

Cheers,
Brian
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Road to RC4-free web (the case for YouTube without RC4)

Hubert Kario
On Wednesday 22 October 2014 00:59:53 Brian Smith wrote:

> On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario <[hidden email]> wrote:
> > The number of sites that prefer RC4 while still supporting other ciphers
> > are
> > very high (18.6% in June[1], effectively 21.3% for Firefox[6]) and not
> > changing much. The percent of servers that support only RC4 is steadily
> > dropping (1.771% in April[3], 1.194% in May[2], 0.985% in June[1]).
> >
> > Because of that, disabling RC4 should be possible for many users. The big
> > exception for that was YouTube video servers[4] which only recently gained
> > support for TLS_RSA_WITH_AES_128_GCM_SHA256.
>
> Sorry that I couldn't say more earlier, but please see this message from
> Adam Langley of Google about YouTube working on
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
>
> http://www.ietf.org/mail-archive/web/tls/current/msg14112.html
>
> "And TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 support is coming -- it's already
> enabled in some locations."

Glad to hear that, I'll be impatiently waiting for it to be deployed on
servers assigned to central Europe ;)

--
Regards,
Hubert Kario
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Road to RC4-free web (the case for YouTube without RC4)

Kosuke Kaizuka
In reply to this post by Hubert Kario
On Wed, 22 Oct 2014 00:59:53 -0700, Brian Smith wrote:

> On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario <[hidden email]> wrote:
>
>> The number of sites that prefer RC4 while still supporting other ciphers
>> are
>> very high (18.6% in June[1], effectively 21.3% for Firefox[6]) and not
>> changing much. The percent of servers that support only RC4 is steadily
>> dropping (1.771% in April[3], 1.194% in May[2], 0.985% in June[1]).
>>
>> Because of that, disabling RC4 should be possible for many users. The big
>> exception for that was YouTube video servers[4] which only recently gained
>> support for TLS_RSA_WITH_AES_128_GCM_SHA256.
>>
>
> Sorry that I couldn't say more earlier, but please see this message from
> Adam Langley of Google about YouTube working on
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
>
> http://www.ietf.org/mail-archive/web/tls/current/msg14112.html
>
> "And TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 support is coming -- it's already
> enabled in some locations."

Excellent news! It has not enabled yet in Japan.
--
Kosuke Kaizuka
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Road to RC4-free web (the case for YouTube without RC4)

Kosuke Kaizuka
In reply to this post by Hubert Kario
On Thu, 23 Oct 2014 01:35:08 +0900, Kosuke Kaizuka wrote:> On Wed, 22
Oct 2014 00:59:53 -0700, Brian Smith wrote:

>> On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario <[hidden email]> wrote:
>>
>>> The number of sites that prefer RC4 while still supporting other ciphers
>>> are
>>> very high (18.6% in June[1], effectively 21.3% for Firefox[6]) and not
>>> changing much. The percent of servers that support only RC4 is steadily
>>> dropping (1.771% in April[3], 1.194% in May[2], 0.985% in June[1]).
>>>
>>> Because of that, disabling RC4 should be possible for many users. The big
>>> exception for that was YouTube video servers[4] which only recently gained
>>> support for TLS_RSA_WITH_AES_128_GCM_SHA256.
>>>
>>
>> Sorry that I couldn't say more earlier, but please see this message from
>> Adam Langley of Google about YouTube working on
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
>>
>> http://www.ietf.org/mail-archive/web/tls/current/msg14112.html
>>
>> "And TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 support is coming -- it's already
>> enabled in some locations."
>
> Excellent news! It has not enabled yet in Japan.

https://www.ssllabs.com/ssltest/analyze.html?d=r4---sn-uxaxovg-5goz.googlevideo.com
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_RC4_128_SHA

Now we can use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256!
--
Kosuke Kaizuka
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Road to RC4-free web (the case for YouTube without RC4)

Hubert Kario
On Saturday 08 November 2014 10:29:06 Kosuke Kaizuka wrote:

> On Thu, 23 Oct 2014 01:35:08 +0900, Kosuke Kaizuka wrote:> On Wed, 22
>
> Oct 2014 00:59:53 -0700, Brian Smith wrote:
> >> On Sun, Jun 29, 2014 at 11:18 AM, Hubert Kario <[hidden email]> wrote:
> >>> The number of sites that prefer RC4 while still supporting other ciphers
> >>> are
> >>> very high (18.6% in June[1], effectively 21.3% for Firefox[6]) and not
> >>> changing much. The percent of servers that support only RC4 is steadily
> >>> dropping (1.771% in April[3], 1.194% in May[2], 0.985% in June[1]).
> >>>
> >>> Because of that, disabling RC4 should be possible for many users. The
> >>> big
> >>> exception for that was YouTube video servers[4] which only recently
> >>> gained
> >>> support for TLS_RSA_WITH_AES_128_GCM_SHA256.
> >>
> >> Sorry that I couldn't say more earlier, but please see this message from
> >> Adam Langley of Google about YouTube working on
> >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
> >>
> >> http://www.ietf.org/mail-archive/web/tls/current/msg14112.html
> >>
> >> "And TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 support is coming -- it's
> >> already enabled in some locations."
> >
> > Excellent news! It has not enabled yet in Japan.
>
> https://www.ssllabs.com/ssltest/analyze.html?d=r4---sn-uxaxovg-5goz.googlevi
> deo.com TLS_RSA_WITH_RC4_128_SHA
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_RC4_128_SHA
>
> Now we can use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256!

Yup, it's working also in Europe.

--
Regards,
Hubert Kario
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
12