From owner-freebsd-security@FreeBSD.ORG Tue Sep 10 19:05:40 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 82E8B7D9; Tue, 10 Sep 2013 19:05:40 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from rush.bluerosetech.com (rush.bluerosetech.com [IPv6:2607:fc50:1000:9b00::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 585492360; Tue, 10 Sep 2013 19:05:40 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2001:558:6025:2d:68f0:67e3:f35d:f840]) by rush.bluerosetech.com (Postfix) with ESMTPSA id 30F401141D; Tue, 10 Sep 2013 12:05:39 -0700 (PDT) Received: from [IPv6:2601:7:1680:365:70be:f335:56cc:10bc] (unknown [IPv6:2601:7:1680:365:70be:f335:56cc:10bc]) by chombo.houseloki.net (Postfix) with ESMTPSA id B84C77CA; Tue, 10 Sep 2013 12:05:34 -0700 (PDT) Message-ID: <522F6D79.9070208@bluerosetech.com> Date: Tue, 10 Sep 2013 12:05:29 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: Mark Felder Subject: Re: Anything in this story of concern? References: <20130909144142.J99094@sola.nimnet.asn.au> <1378731079.24879.19687157.0DBE99D1@webmail.messagingengine.com> In-Reply-To: <1378731079.24879.19687157.0DBE99D1@webmail.messagingengine.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2013 19:05:40 -0000 On 9/9/2013 5:51 AM, Mark Felder wrote: > I'm still waiting for someone to thoroughly analyze this question > > What's worse: the possibility that NSA has cracked RC4 or being > vulnerable to BEAST/CRIME? They're both equally bad, IMO. BEAST/CRIME are known, usable exploits. RC4 isn't proven broken, but it has been shown as weaker than expected, so 128-bit RC4 << 128-bit AES in terms of strength. That does mean if you're subject to certain privacy constraints, you must disable RC4. AFAIK there aren't yet any usable exploits against RC4's weaker status and it's still much stronger than 64-bit crypto--the point at which it's currently accepted as brute-force vulnerable. Currently, BEAST has been effectively mitigated client-side and most major applications now support 1.1 or later. Current Firefox and Thunderbird use NSS 3.14, which supports 1.1, but the apps have it disabled by default (set security.tls.version.max=2 in each to enable). Firefox 24 should have NSS 3.15.1 and thus support 1.2. IE on Windows 7/8 supports TLS 1.1 and 1.2, but have them disabled by default. IE 11 is supposed to have them enabled by default; but this is Microsoft, so we can't know until bits are out the door. Chrome, Opera and Safari support both and have them enabled by default. At the OS level, Windows and OS X both have 1.1 and 1.2 support. If your *nix of choice has OpenSSL 1.0.1, it has 1.1 and 1.2 support. OpenSSL is tricky because most apps only give you cipherspec control. Via cipherspec, !SSLv3 also turns off TLS 1.1 because it leaves only the 1.2-only AES-GCM ciphers. Some OpenSSL-based apps, like Postfix and nginx, have the ability to also specify a protocol filter. tl;dr: - Disable RC4, it's weak. - Upgrade your user apps. - Upgrade OpenSSL to 1.0.1 (via ports, it's easy). - Deploy TLS 1.1 and 1.2 on your servers today. - Leave SSLv3/TLSv1.0 enabled only for cases where you can't control the remote end's SSL capabilities. - Recommended OpenSSL 1.0.1 cipherspec: ALL:HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!MD5:!aNULL:@STRENGTH