Parsia's Den

Because no one wants to be the other guy from Wham!

Nov 17, 2013 - 2 minute read - Comments - Crypto

How do I TLS Ciphersuite?

“Should we use RC4 or AES-CBC ?” This is a legitimate question. Many have heard of the highly publicized attacks against AES-CBC (CRIME, BEAST etc) and lean towards RC4. If asked (granted no one asks me), my answer would be: If you can control web servers (not feasible in all situations) and users’ browsers (almost impossible), upgrade to TLS 1.2 and go with AES-GCM. However, not many browsers supported these and to be honest, more users trumps loss of security in many cases.

RC4 was a masterpiece for its time (it still is) but it has extreme biases in its PRNG and attacks are prevalent [1] and because it only takes a seed (with no nonce), if a key is re-used, one can find the XOR of plaintexts by XOR-ing two ciphertexts. A recent demonstration of this weakness was in the popular “Whatsapp” application where the same key was used in both directions [2]. Granted This was an application design flaw but Whatsapp has quite the security history (google Whatsapp and IMEI).

A few days ago Microsoft released security advisory 2868725 “Recommendation to disable RC4.” They found out that less than 4% of their 5 million sample websites only worked with RC4 (although from my personal experience RC4 share is probably higher) [3].

Major browsers are also starting to support TL2 1.2 and AES-GCM. Chrome has had TLS 1.2 support for a while (Since Chrome 29) [4] and Chrome 31 (released a few days ago) has support for AES-GCM [5].

Firefox has implemented TLS 1.2. [6] and AES-GCM [7].

IE 11 turns TLS 1.2 on by default [8].

A day after I wrote the draft of this blog post, Adam Langley (author of patches in links 4 and 5) wrote a blogpost named “A roster of TLS cipher suites weaknesses” [9]. He discusses the strengths and weaknesses of the aforementioned three different ciphersuites (RC4, AES-CBC and AES-GCM) on top of Chacha20,Poly1305 (if you do not know why the numbers are not powers of 2, google it :D).

tl;dr: seems like AES-GCM is the flavor of the month. More and more browsers are supporting it, it may be a good time to start moving towards it.

PS: I know, I will get the contact page fixed soon ™.