Bug 140014 - [SOUP] Disable RC4
Summary: [SOUP] Disable RC4
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Major
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-31 08:37 PST by Michael Catanzaro
Modified: 2015-03-05 01:27 PST (History)
7 users (show)

See Also:


Attachments
Patch (1.54 KB, patch)
2014-12-31 08:40 PST, Michael Catanzaro
no flags Details | Formatted Diff | Diff
Patch (2.94 KB, patch)
2015-01-05 13:33 PST, Michael Catanzaro
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2014-12-31 08:37:12 PST
It's past time to disable all ciphersuites that use RC4, which is no longer considered secure [1]. Instead, we should refuse to connect if the server only supports RC4.

This can be expected to break ~1.5% of the top 1,000,000 web sites [2], so we should only push this change once a major browser does so first [3] [4].

[1] https://datatracker.ietf.org/doc/draft-ietf-tls-prohibiting-rc4/
[2] https://jve.linuxwall.info/blog/index.php?post/TLS_Survey
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=999544
[4] https://code.google.com/p/chromium/issues/detail?id=375342
Comment 1 Michael Catanzaro 2014-12-31 08:40:22 PST
Created attachment 243843 [details]
Patch
Comment 2 Michael Catanzaro 2015-01-01 05:15:29 PST
Comment on attachment 243843 [details]
Patch

Not sure how this worked, since I failed to change the priority string in the network process. (But I'm pretty sure I had the network process enabled when I tested it. Hm....)
Comment 3 Dan Winship 2015-01-02 06:24:57 PST
Comment on attachment 243843 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=243843&action=review

> Source/WebKit2/ChangeLog:8
> +        Disallow the RC4 ciphersuite when performing TLS negotiation, because it

"Disallow RC4-based ciphersuites".
Comment 4 Michael Catanzaro 2015-01-05 13:28:42 PST
(In reply to comment #2)
> (But I'm pretty sure I had the network process enabled
> when I tested it. Hm....)

I must have been wrong.

(In reply to comment #3)
> "Disallow RC4-based ciphersuites".

Thanks.

(In reply to comment #0)
> This can be expected to break ~1.5% of the top 1,000,000 web sites [2], so
> we should only push this change once a major browser does so first [3] [4].

I'm inclined to go ahead and push this to master now anyway, and never change it in 2.6.x. [1] lists some sites to check, including three that are broken after the proposed Firefox change. This change in WebKit breaks one of those three; the other two we already cannot display.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1114809
Comment 5 Michael Catanzaro 2015-01-05 13:33:04 PST
Created attachment 243997 [details]
Patch
Comment 6 Michael Catanzaro 2015-01-05 14:24:04 PST
Actually actually, this got disabled in gnutls master recently, coincidentally the same day I filed this bug. So let's not do anything.
Comment 7 Michael Catanzaro 2015-02-19 06:15:58 PST
GnuTLS is moving too slow and RFC 7465 has been proposed [1] so I want to move forward with this anyway. Carlos, can you commit this to 2.8 and master please? Not 2.6.

[1] http://www.rfc-editor.org/rfc/rfc7465.txt
Comment 8 Carlos Garcia Campos 2015-02-19 08:21:53 PST
(In reply to comment #7)
> GnuTLS is moving too slow and RFC 7465 has been proposed [1] so I want to
> move forward with this anyway. Carlos, can you commit this to 2.8 and master
> please? Not 2.6.
> 
> [1] http://www.rfc-editor.org/rfc/rfc7465.txt

Why not 2.6?
Comment 9 Michael Catanzaro 2015-02-19 08:48:46 PST
Because it will break sites that only offer RC4 (there's a "fun" discussion on this in the Firefox and Chrome bugs in the first post), so I prefer to delay it to the next major release, so that nobody has any reason not to upgrade from 2.6.x to 2.6.y, and servers has a little extra time to adjust. Besides, it will likely take at least a month (if we're lucky) for other browsers to follow along.

Now, there is a talk about RC4 at Black Hat Asia, which is one day after the GNOME 3.16 release, which will present a new attack on RC4 that may be bad enough to necessitate a backport regardless. It's an iffy call whether to backport or not; I don't really mind either way as long as it's fixed going forward.
Comment 10 Michael Catanzaro 2015-03-01 09:04:17 PST
FWIW Firefox is dropping RC4 for FF38 (to be released in late May) but they've added 650 sites that only offer RC4 to a whitelist (to be removed in the "near future" but who knows what that means). I think we can just break those sites; I expect when we dropped SSLv3 and accidentally stopped doing protocol version fallback we broke many more than that. If we want to do something like a whitelist we'd need to talk about new API in glib and libsoup (which would be nice to have regardless).

See:

https://developer.mozilla.org/en-US/Firefox/Releases/38/Site_Compatibility
http://mxr.mozilla.org/mozilla-aurora/source/security/manager/ssl/src/IntolerantFallbackList.inc
Comment 11 Michael Catanzaro 2015-03-01 09:10:10 PST
Actually that is a link to their voluntary protocol version fallback whitelist. Either their release notes have the wrong link, or they haven't added any RC4 sites to the whitelist yet.
Comment 12 Carlos Garcia Campos 2015-03-02 08:16:48 PST
I'm lost with all this, TBH. Dan, Sergio, Martin, Gustavo?
Comment 13 Michael Catanzaro 2015-03-04 14:49:39 PST
(In reply to comment #12)
> I'm lost with all this, TBH.

The issue is that an attacker can view the first 256 bytes of your connection (i.e. he has your session cookie -> he is you -> game over) using significant but practical computing power. And very many sites will always pick RC4 first even if the browser lists it as the lowest preference, because it is very fast (and they don't support newer fast algorithms like AES GCM mode), so we must stop offering it completely to avoid that. But a few servers still only support RC4 due to misconfiguration. And there is no way to fix this issue for most sites but not those "broken" sites: what Firefox was doing prior to this week was offering RC4 only in their fallback handshake, but that provides zero additional security against an active attacker since he will just block the initial handshake. (We could do that too to improve security against a *passive* attacker, but the real "benefit" of doing that would be to trick users into thinking the browser is secure on online TLS tests, so I don't support that. And the analogy is not perfect because Firefox actually does multiple fallback handshakes where as we do only one, but that doesn't matter.)

So it's the wonderful choice of security vs. compatibility. We will have to make this choice many more times in the future. My preference is normally to err towards compatibility when all our competing browsers are just as insecure as we are, but in this case I'm not sure that's advisable. There is also a fairly good chance that if we don't fix it now we will be in a scramble to fix it three weeks from today, due to the Black Hat talk I mentioned above, but we can always wait and see!

Note also that RC4 is disabled in GnuTLS 3.4, so the choice will soon be made for us unless we explicitly turn it on with the priority string, but it'll take a year or so for that to make its way into most distros.
Comment 14 Michael Catanzaro 2015-03-04 15:04:04 PST
Note that https://bugzilla.gnome.org/show_bug.cgi?id=745637 would give us the power to implement a whitelist. I don't really want to do that, but it might be the best point on the security/compatibility compromise range.
Comment 15 WebKit Commit Bot 2015-03-05 01:27:46 PST
Comment on attachment 243997 [details]
Patch

Clearing flags on attachment: 243997

Committed r181073: <http://trac.webkit.org/changeset/181073>
Comment 16 WebKit Commit Bot 2015-03-05 01:27:52 PST
All reviewed patches have been landed.  Closing bug.