back to article IETF takes rifle off wall, grabs RC4 cipher's collar, goes behind shed

The IETF is getting ready to finally kill off the venerable-but-vulnerable RC4 cipher. The group has issued a last call for comments before humming over a proposal that Internet-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS). It's a simple enough change, but in the wide world of the …

  1. Eddy Ito

    Ok, put it down. Life's too short for bad wine and bad ciphers.

    1. Paul Crawford Silver badge

      But not long enough for bad women!

    2. Michael Wojcik Silver badge

      RC4 isn't a "bad cipher". It's very simple to implement, very fast, and provided more than adequate security under many reasonable threat models for twenty-odd years. In cryptography, that's very successful.

  2. jb99


    The great thing about RC4 was that it was so easy to implement.

    If it's not secure then ok, it needs to stop being used.

    But I wish there was another simple to implement cypher, they all seem to complicated these days :(

    1. Anonymous Coward
      Anonymous Coward

      Re: Pity

      True -- not many RFCs come with working source code.

  3. phil dude
    Black Helicopters

    end of the rainbow...?

    The thing is with sufficient tax payer money, how big a rainbow table could you build for any of these algorithms?

    Not the whole thing, of course, but enough to help...?


    1. Anonymous Coward
      Anonymous Coward

      Re: end of the rainbow...?

      RC4 is a cipher, not a hashing algorithm.

  4. Anonymous Coward
    Anonymous Coward

    Well, hell, what's left?

    Are the DHE ciphers the only ones left that can be used in PCI DSS governed applications?

    1. A Known Coward

      Re: Well, hell, what's left?

      The advantage of DHE based ciphers is forward secrecy* which has got to be a Good Thing™?


      In fact I wouldn't want to use any Payment/Banking system which didn't support cutting edge security. Unfortunately the PCI requirements are updated so slowly that they are out of date by the time they are published.

      My online banking (Barclays) security is a joke. RC4, no forward secrecy, no strict transport security headers, sha1 signatures, no stapling, no TLS fallback prevention, ssl v3 still supported ...

    2. Michael Wojcik Silver badge

      Re: Well, hell, what's left?

      DHE and RC4 are unrelated. DHE is a key-exchange mechanism (in effect an asymmetric cipher), while RC4 is a symmetric (secret-key) cipher.

      The last time I looked at PCI DSS, they allowed AES for symmetric encryption. There's little reason to use anything else, unless you're paranoid about ciphers endorsed by the US government, in which case you can use Camellia instead; I think it's even allowed by PCI DSS.

      What we don't have are any widely-interoperable stream ciphers. That's unfortunate because 1) they're generally faster and less resource-intensive than block ciphers, and 2) they avoid block-cipher vulnerabilities like the ones that gave us BEAST, Lucky13, and POODLE. But the answer to the latter is smarter protocols and better chaining modes (really no reason to use anything other than GCM), and to the former is throwing resources at it.

      1. A Known Coward

        Re: Well, hell, what's left?

        Right, AES_GCM or Camellia, with ECDHE is what everyone should be using.

        Running your site through is always a good idea. Anything less than an A is a poor performance. A+ is possible without making any compromise except for excluding IE6 and some combinations of XP + IE8.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like