Re: Fedora crypto policy vs the real world Was: available crypto policies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- Original Message -----
> From: "Nikos Mavrogiannopoulos" <nmav@xxxxxxxxxx>
> To: "Hubert Kario" <hkario@xxxxxxxxxx>
> Cc: "Tomas Mraz" <tmraz@xxxxxxxxxx>, security@xxxxxxxxxxxxxxxxxxxxxxx
> Sent: Tuesday, 6 May, 2014 1:17:13 PM
> Subject: Re: Fedora crypto policy vs the real world Was: available crypto policies
> 
> On Tue, 2014-05-06 at 06:41 -0400, Hubert Kario wrote:
> 
> > > So no, Windows won't disable RC4 support by default.
> > nitpick: Windows 7 doesn't disable RC4 support by default.
> > Windows 8 does disable RC4 by default:
> > http://blogs.msdn.com/b/ie/archive/2013/11/12/ie11-automatically-makes-over-40-of-the-web-more-secure-while-making-sure-sites-continue-to-work.aspx
> 
> I don't think microsoft would be held as an example, but still they do
> negotiate RC4, as they re-try connecting using RC4 if the first
> handshake fails. From a security point of view, their change is useless,
> as if I can attack RC4, I can simply make the first attempt to connect
> fail, and attack the second that includes RC4.

Yes, for a dedicated attack, it does not change anything, as it is performing
man in the middle anyway. It does help against passive attacker. But I agree,
connection retry with different ciphers is bad idea.
 
> Nevertheless, we cannot even do what they do (i.e., reconnect using RC4
> as fallback). What we do is to set the bar to either allow RC4 or have a
> failed connection, and thus force a plaintext session, that is worse
> than RC4.

Sorry, but how does that force a plaintext session?

There's no plaintext fallback for HTTP. Over HTTP you get a redirection to
HTTPS site that simply won't work, no fallback. If the attacker uses sslstrip
and you won't notice lack of padlock that's not the fault of RC4.

For connections like LDAP, SMTP, POP3 or IMAP you configure it once to either
use or not use SSL. So that's only configuration time attack.

And applications which use opportunistic encryption shouldn't use default
cipher order anyway (as default won't ever have anonymous DH).

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario@xxxxxxxxxx
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux