[tialaramex]

How is RC4 a great example? Obviously with hindsight you'd choose something different, but in the mid-1990s there wasn't a lot of good options - in your alternate history do we just hope DES (which we know has a NOBUS for the US government) is OK forever? Do we go without SSL altogether ? What's the plan ?

[tptacek]

I don't understand. Why did we need RC4 for SSL? Most SSL and TLS connections just used CBC-mode.

[tialaramex]

CBC mode of what ? IDEA maybe ? Are you here to go to bat for IDEA because it's in better shape than RC4 (likely because nobody cares) ?

[tptacek]

Even DES-EDE is better than RC4.

[tialaramex]

3DES? I guess. People banged on it a lot more than IDEA, which is good, even on your worst days banging on things has potential to shake loose anything poorly put together. But as a "path dependency" I think it might teach an even worse lesson than RC4 did.

Edited: Sorry the last sentence was garbled nonsense originally, maybe it's the heat here. Or my brain is gradually deteriorating :/

[tptacek]

I don't see how that could be the case. The major problem with DES-EDE is shared by all the 8-byte-block ciphers, and the fix was simply to upgrade. The problem with RC4 is much more fundamental.