[thirsteh]

The statement that RC4 has no weaknesses is not true. It has well-known biases: http://en.wikipedia.org/wiki/RC4#Security It is just better than CBC (as implemented), being a stream cipher, and thus using RC4 is the best solution right now. It is still important to get as much as possible up to TLS 1.2 and using AES-GCM or other AEAD modes as soon as possible.

Edit: Clarified that RC4 is better than CBC as implemented, not CBC implemented with constant-time verification, i.e. RC4 will not be preferable to AES-CBC in the fixed version of OpenSSL, at least against the Lucky Thirteen attack.

[tptacek]

RC4 isn't "better" than CBC (it's much worse).

But people hold their noses and use it because browser upgrade cycles haven't shaken off a bug that happens to affect CBC mode.

[thirsteh]

You are extracting something I didn't say, or at least didn't mean to imply. RC4 is better than TLS-CBC as it is implemented by virtually all libraries. A constant-time implementation is obviously preferable, but considering the mess this makes of client libs I doubt many will adopt it. RC4 will be better for those until TLS 1.2 and e.g. AES-GCM are supported.

As an example, see Adam Langley's comments on not fixing (i.e. making constant-time) CBC in Go: https://groups.google.com/d/msg/golang-nuts/HF5O5vAKRcQ/3cYW...

Also, blaming browsers when we've known about timing attacks against this verification for years, and OpenSSL is patching it now, is probably a bit of a stretch.

[tptacek]

You're commenting at a greater level of detail than I am. I'm only making the AES-CBC > RC4 case because it would be awfully dumb of someone to design a new cryptosystem with RC4, even if AES-CBC was the only alternative.

The CBC timing channel 'agl is talking about is specific to TLS's idiosyncratic mac-then-encrypt implementation. Don't ever use mac-then-encrypt. Encrypt first, then MAC.

I'm blaming browsers for (a) not implementing CTR mode (AE or otherwise) and (b) being vulnerable to the chained CBC IV vulnerability. I'm not blaming browsers for the timing attack on AES-CBC.

[thirsteh]

Ah, yes. I agree.

[hynek]

Absolutely. But since we still have to support SSLv3 from 1996, I wouldn’t hold my breath. :(

[thirsteh]

Yeah. The outlook is not that great, and RC4 will definitely be better than CBC for those legacy systems in light of this discovery (http://www.isg.rhul.ac.uk/tls/). At least the browsers are actively working on supporting the latest TLS and modes.

[hynek]

Yes, the discovery of Lucky13 and the following helplessness by many not-really-ops-but-doing-it-anyway people were the motivation to write that article in the first place. To get a minimal baseline security out there. Those who know better, will do better. There’s enough additional links to get hooked up. Can’t do more. :)

[tptacek]

"Lucky 13" isn't exactly an ops crisis. You probably don't need to stay up late patching this one, unless you're using DTLS.

[hynek]

Oh certainly not a crisis – especially since it didn't bring new vectors to the table. I just saw many “what now!?”s in my timelines and figured I better give them a solid good-enough solution that just works before they do something stupid.

[huxley]

Do we really? What browsers don't support at least TLS 1.0? Or is it other user agents?

[hynek]

It very much depends on your target audience.

We’re in the web hosting business and whenever we try to be a bit more progressive, people start yelling at us that their IE 4-using customers in rural Mongolia can’t SSL-surf their shop. When it comes to mail, IIRC some business phones were behind too.

OTOH iOS 6 support TLS 1.2, so if you’re just building a REST API for your own apps, you can go wild.