The IETF is getting ready to finally kill off the venerable-but-vulnerable RC4 cipher.
The group has issued a last call for comments before humming over a proposal that Internet-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS).
It's a simple enough change, but in the wide world of the Internet, it'll take time to propagate: clients should stop listing RC4 in the ClientHello message, while servers must not select RC4 on client requests. As the document notes, if the client insists on RC4, the TLS server must terminate the handshake, and may send the “insufficient_security” fatal alert back to the client.
The cipher-suite RC4 has been considered risky for some time. Last year, both Microsoft and Cisco advised customers to avoid it. RC4 was also one of the ciphers used in SSL 3.0, which fell to the POODLE bug, but as Google wrote in its analysis of the vuln, POODLE attacked a different cipher.
As the IETF proposal, authored by Andrei Popov of Microsoft, notes, recent theoretical attacks against RC4 “are on the verge of becoming practically exploitable.” Currently such attacks require 226 sessions or 13x230 encryptions, so “RC4 can no longer be seen as providing a sufficient level of security for TLS sessions.”
Those wishing to comment prior to adoption of the draft have until December 10 to do so. ®