RC4 security in TLS

[hannesm]

problem: some bytes can be recovered

solution: throw RC4 away and switch to CBC

references

• http://www.isg.rhul.ac.uk/tls/index.html

[hannesm]

there's now even a proposed standard rfc, shepherded... http://www.ietf.org/id/draft-ietf-tls-prohibiting-rc4-01.txt

[hannesm]

talking to @Andreas23 I think we should remove RC4 from the default_config ciphers (but still list as supported, since our implementation does support RC4).

[g2p]

Is RC4 really disabled, or just not advertised as per the commit message?
The RFC says RC4 must never be negotiated (Firefox roadmap): https://tools.ietf.org/html/rfc7465
Otherwise an active attacker would drop a connection and force the use of RC4.

[hannesm]

in the default config in master, RC4 is disabled -- it can not be negotiated. You can still configure OCaml-TLS to use RC4. The 0.3.0 release still advertises RC4 by default (but there'll be a 0.4.0 really soon now)!
As example, https://ownme.ipredator.se will never negotiate RC4 (while https://tls.openmirage.org will).