[tptacek]

Yes, we did! RC4 is a great example of what I'm talking about. It's a cipher nobody had any business ever using, and we were using it well into the 2010s, despite the fact that the (comically simple) underlying vulnerabilities in it were known in the 1990s.

[tialaramex]

How is RC4 a great example? Obviously with hindsight you'd choose something different, but in the mid-1990s there wasn't a lot of good options - in your alternate history do we just hope DES (which we know has a NOBUS for the US government) is OK forever? Do we go without SSL altogether ? What's the plan ?

[tptacek]

I don't understand. Why did we need RC4 for SSL? Most SSL and TLS connections just used CBC-mode.

[tialaramex]

CBC mode of what ? IDEA maybe ? Are you here to go to bat for IDEA because it's in better shape than RC4 (likely because nobody cares) ?

[tptacek]

Even DES-EDE is better than RC4.

[tialaramex]

3DES? I guess. People banged on it a lot more than IDEA, which is good, even on your worst days banging on things has potential to shake loose anything poorly put together. But as a "path dependency" I think it might teach an even worse lesson than RC4 did.

Edited: Sorry the last sentence was garbled nonsense originally, maybe it's the heat here. Or my brain is gradually deteriorating :/

[tptacek]

I don't see how that could be the case. The major problem with DES-EDE is shared by all the 8-byte-block ciphers, and the fix was simply to upgrade. The problem with RC4 is much more fundamental.