----- Original Message ----- > From: "Nikos Mavrogiannopoulos" <nmav@xxxxxxxxxx> > To: "Aaron Zauner" <azet@xxxxxxxx> > Cc: "Hubert Kario" <hkario@xxxxxxxxxx>, security@xxxxxxxxxxxxxxxxxxxxxxx > Sent: Monday, May 5, 2014 5:11:04 PM > Subject: Re: Fedora crypto policy vs the real world Was: available crypto policies > > On Mon, 2014-05-05 at 16:46 +0200, Aaron Zauner wrote: > > > > Eric H. Christensen wrote: > > > On Mon, May 05, 2014 at 11:50:48AM +0200, Nikos Mavrogiannopoulos wrote: > > >> On Fri, 2014-04-25 at 10:34 -0400, Hubert Kario wrote: > > >>> SSL/TLS survey of 305280 websites from Alexa's top 0.97 million > > >>> Stats only from connections that did provide valid certificates > > >>> (or anonymous DH from servers that do also have valid certificate > > >>> installed) > > >>> RC4 Only 5418 1.7748 > > >> That's pretty interesting. The question is now how important is that RC4 > > >> only segment. Is that percentage significant enough to revise having RC4 > > >> in the "default" crypto profile set? > > > > > > Revise how? RC4 should be dropped down to EXPORT status, IMO, but > > > somehow lives on. > > > > > +1. Not quite sure why it's still in the TLS 1.3 draft. > > This is not about the TLS protocol in 5 years, but about the ciphers > that we will make available in Fedora 21 by default this autumn. If the > default settings disallow RC4 it means that the users of Fedora will not > be able to connect to the 1.7748% of this list of web servers. > > That is, no HTTPS connection at all for 17215 servers; only plaintext. > If that list contains some popular HTTPS servers, we'll have: > 1. Users connecting with no security at all to these web sites. > 2. Users relaxing the overall security level from DEFAULT -> LEGACY > 3. Users switching to some other distribution that things just work. > > I don't like any of these possibilities if they apply to a major part of > our users. The DEFAULT setting should apply to 99% of our users. > > We need to know what removing RC4 from the default list entails. Knowing > which these 17215 servers are, and their ranking in that list would > certainly help decide. In my opinion, Fedora, as a security concious distribution, should follow Microsoft example and remove RC4 from default too. Protecting users of 18% of web servers is worth the problems it may cause. Note that the results are from connections that were forced to use SSL, not ones that were redirected to SSL. We can either provide false sense of security to users of those 1.7% of sites or provide much better security to users of nearly 18% of sites that also support other cipher suites. Because of Windows 8 (both mobile and desktop), the 1.7% number will be going down, not up. For example, the highest ranked sites that did support only RC4 were: 396,adultfriendfinder.com 499,typepad.com - now fixed 592,timeanddate.com - now fixed 791,priceline.com 853,inbox.com 975,lacaixa.es 985,squarespace.com 1204,aa.com 1434,xiaomi.com 1590,cvs.com Neither of those redirect to SSL by default. RC4 is broken. While the latest attack against it does require few million connections (which we know that some actors already do collect) it also, for all intents and purposes, has computational complexity of 0. Researchers performed only 256 tries for their guesses - that's 8bit computational complexity for the attack. They did use only double byte biases and assumed completely random plaintext (no "GET / HTTP/1.1" or "EHLO smtp.example.com"). So this was not entirely a detailed cryptanalysis, large parts of it were simple brute force. Also note that a service that connects to a site every minute for a year will reach the needed threshold for the easiest attack that recovers "only" 3 bytes with 100% accuracy. Now, unless someone has done the maths, I'm going to use conservative estimate and assume a one to one ratio for memory-time trade off. That means that RC4 has 38 bit computational complexity of attack for a capture of just few connections. That's export grade crypto level. Top 100 sites that supported only RC4 ciphers: 396,adultfriendfinder.com 499,typepad.com 592,timeanddate.com 791,priceline.com 853,inbox.com 975,lacaixa.es 985,squarespace.com 1204,aa.com 1434,xiaomi.com 1590,cvs.com 1641,orbitz.com 1900,directv.com 1942,siteground.com 2108,warriorplus.com 2242,tharunaya.co.uk 2398,mmotraffic.com 2769,frys.com 3041,arbeitsagentur.de 3720,geico.com 3740,freelifetimefuckbook.com 3970,fancy.com 4176,readwrite.com 5495,kankanews.com 5554,o2.co.uk 5636,kaiserpermanente.org 5717,fonts.com 5997,blogs.com 6316,live365.com 6550,internations.org 6647,cheaptickets.com 6684,usc.edu 7469,fssnet.co.in 7599,trojmiasto.pl 7667,streeteasy.com 7711,geni.com 7928,softaculous.com 8035,siemens.com 8106,tim.com.br 8256,hornywife.com 8259,path.com 8299,xmatch.com 8459,xojane.com 8649,worldwinner.com 8717,tanga.com 8847,mtwebcenters.com.tw 8964,farnell.com 9461,grosbill.com 9566,boe.es 9797,westfield.com 9805,seur.com 10163,uggaustralia.com 10308,ultracart.com 10505,thetaoofbadass.com 11179,bankofthewest.com 11330,singlehop.com 11429,kay.com 11887,commonapp.org 11889,halkbank.com.tr 12008,autocarindia.com 12223,zavvi.com 12239,reachlocal.com 12283,wine.com 12426,gotprint.net 12773,bigbasket.com 13273,squarefree.com 13326,wantickets.com 13395,magicjack.com 13736,fossil.com 13760,geektyrant.com 14451,oculusvr.com 14538,nuskin.com 14646,flyaerlingus.com 14922,feelunique.com 14966,dollarshaveclub.com 15231,penthouse.com 15393,website.ws 15423,thehut.com 15807,mikrotik.com 15909,autoanything.com 16042,calguns.net 16099,elanceonline.com 16126,clixtrac.com 16276,whotrades.com 16499,centerparcs.com 16531,datingtorelating.com 16716,bnonline.fi.cr 17315,myprotein.com 17552,brownells.com 17698,htmldog.com 17862,christianitytoday.com 17891,ebookers.com 18067,bankcardservices.co.uk 18122,hotforex.com 18251,reginaldchan.net 18266,e-sixt.de 18342,mojebanka.cz 18486,help.squarespace.com 18541,bevmo.com 18578,interspire.com 18584,getiton.com -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario@xxxxxxxxxx Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
