RC4

[jduncanator]

I think there should be a discussion on whether to implement RC4 as an available cipher suite or not. I understand it is a broken cipher but in my opinion it is not upto us to decide what should and shouldn't be used. To provide a full TLS1.0 implementation we need to support RC4. A lot of websites out there force RC4 on their users so it would be nice to have support for it.

Also, a lot of other applications hard code in RC4 support, so having RC4 available via the Forge API would be really nice.

[dlongley]

I'm not opposed to making it available with some clear warnings not to use it. It should be low priority (and has been such), however, exactly because it's a broken cipher. It may turn out that by the time we get more important upgrades/features into forge that the state of using RC4 in the wild will have changed -- mitigating any need for it.

[jduncanator]

@dlongley Totally agree with you. However a lot of people also use forge as a general purpose crypto library on the web and as such, like using the algorithms standalone. I had a project once to implement a client for a third-party server that used RC4. I couldn't control the server so I had no choice but to implement RC4 in JavaScript. I know that forge is mainly a TLS implementation, but times are changing and people are looking for a more complete JS crypto implementation!

[dlongley]

I know that forge is mainly a TLS implementation, but times are changing and people are looking for a more complete JS crypto implementation!

Well, at this point, I'd say forge is now aiming to and becoming a more complete JS crypto implementation. I agree with your other points.

[dlongley]

Everyone is shutting off RC4 completely these days, so I think there is very little value in implementing it. I'm going to close this issue.

[jduncanator]

That's fine, the use case I was planning on using it for is well and truly been and gone!