Is RC4-less browsing possible?

As some of you know, YouTube now supports one other cipher except the venerable RC4. Unfortunately this other cipher suite is not supported by currently released Firefox (but is supported by the underlying cryptographic library – NSS).

So I went and implemented a patch that allows the user to enable this other cipher suite (among others).

Side note: while compiling Firefox requires quite a few dependencies and lots of patience (not to mention few gigabytes of disk space), the process itself is really easy with all the guides available on the Mozilla developer’s network. Props to all the people responsible for this documentation and scripts!

The patch I wrote unfortunately was shot down by Brian Smith because the current goal is to push server operators to implement support for ECDHE and AES-GCM. While this is a noble goal, I’m a bit more pragmatic (or impatient if you will) and want the cipher suite selection to represent what servers do not what we want them to do.

(While I write below about Firefox 29, the same is true about current development master branch.)

Current state of Firefox 29

I took this month’s scan results and checked them against Firefox offered ciphers.

The good news: Firefox 29 cipher selection is incompatible with less than 0.01% of sites (assuming that all Internet servers are supporting at least one cipher suite that OpenSSL supports).

The bad news: its cipher selection makes the number of servers that prefer RC4 over other cipher suites larger by another 2.68% (for a total of 21.3%).

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          301       0.0858
x:FF 29 RC4 Preferred     9421      2.6844
x:FF 29 incompatible      31        0.0088

Lets look closer at the ciphers that cause some servers to be elevated to the RC4 Only state (excluding the obviously bad anonymous cipher suites or export grade):

FF 29 RC4 Only other ciphers  Count    Percent
-----------------------------+---------+------
AES128-GCM-SHA256              49        0.014
AES128-SHA256                  98        0.0279
AES256-GCM-SHA384              26        0.0074
AES256-SHA256                  98        0.0279
DHE-RSA-AES128-GCM-SHA256      7         0.002
DHE-RSA-AES128-SHA256          4         0.0011
DHE-RSA-AES256-GCM-SHA384      9         0.0026
DHE-RSA-AES256-SHA256          7         0.002
DHE-RSA-SEED-SHA               31        0.0088
ECDHE-RSA-AES128-SHA256        82        0.0234
ECDHE-RSA-AES256-GCM-SHA384    2         0.0006
ECDHE-RSA-AES256-SHA384        43        0.0123
IDEA-CBC-SHA                   32        0.0091
SEED-SHA                       32        0.0091

We can see that most of those servers support the non ephemeral AES128-SHA256 cipher or ECDHE-RSA-AES128-SHA256. In other words, secure ciphers but slower that the AES128-SHA or ECDHE-RSA-AES128-SHA ciphers (though not necessarily less secure than them).

Now, lets take a look at the set of ciphers that cause Firefox to prefer RC4 while it’s not actually the first cipher selected by server (again, excluding the obviously bad cipher suites):

FF 29 RC4 pref other ciphers  Count    Percent
-----------------------------+---------+------
AES128-GCM-SHA256              7935      2.261
AES128-SHA256                  9212      2.6249
AES256-GCM-SHA384              7887      2.2473
AES256-SHA256                  9212      2.6249
DHE-RSA-AES128-GCM-SHA256      110       0.0313
DHE-RSA-AES128-SHA256          110       0.0313
DHE-RSA-AES256-GCM-SHA384      112       0.0319
DHE-RSA-AES256-SHA256          113       0.0322
DHE-RSA-SEED-SHA               68        0.0194
ECDHE-RSA-AES128-SHA256        7050      2.0088
ECDHE-RSA-AES256-GCM-SHA384    6344      1.8077
ECDHE-RSA-AES256-SHA384        6698      1.9085
IDEA-CBC-SHA                   1770      0.5043
SEED-SHA                       1792      0.5106

We again see AES128-SHA256 and ECDHE-RSA-AES128-SHA256 high, additionally AES128-GCM-SHA256 and AES256-SHA256 is common and supported by NSS cryptographic library. AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384 and ECDHE-RSA-AES256-SHA384 are also common, but unsupported by NSS.

Interestingly, the sites that are unsupported by Firefox, are unsupported for a good reason:

FF 29 incompatible ciphers    Count    Percent
-----------------------------+---------+------
ADH-AES128-SHA                 8         0.0023
ADH-AES256-SHA                 8         0.0023
ADH-DES-CBC3-SHA               8         0.0023
ADH-RC4-MD5                    8         0.0023
AECDH-AES128-SHA               1         0.0003
AECDH-AES256-SHA               1         0.0003
AECDH-DES-CBC3-SHA             1         0.0003
AECDH-RC4-SHA                  1         0.0003
DES-CBC-SHA                    16        0.0046
DHE-RSA-AES128-GCM-SHA256      1         0.0003
DHE-RSA-AES256-GCM-SHA384      2         0.0006
DHE-RSA-AES256-SHA256          1         0.0003
ECDHE-RSA-AES256-GCM-SHA384    3         0.0009
EDH-RSA-DES-CBC-SHA            15        0.0043
EXP-DES-CBC-SHA                11        0.0031
EXP-EDH-RSA-DES-CBC-SHA        12        0.0034
EXP-RC2-CBC-MD5                11        0.0031
EXP-RC4-MD5                    11        0.0031
NULL-MD5                       4         0.0011
NULL-SHA                       4         0.0011
NULL-SHA256                    3         0.0009

That gives us at most 7 servers (but no less than 3 servers) that could be supported if NSS supported SHA384 as the TLSv1.2 PRF without adding any insecure cipher suites.

Firefox 29 with RC4 disabled

OK, so current cipher selection provides very good compatibility, but not security for over 20% of sites on the Internet. How this picture changes if we remove support for RC4 ciphers?

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 incompatible      3790      1.0799

We become incompatible with just a bit over 1% of servers. Lets take a look at ciphers we can enable then to become more compatible (excluding the obvious bad choices):

FF 29 incompatible ciphers    Count    Percent
-----------------------------+---------+------
AES128-GCM-SHA256              49        0.014
AES128-SHA256                  98        0.0279
AES256-GCM-SHA384              26        0.0074
AES256-SHA256                  98        0.0279
DHE-RSA-AES128-GCM-SHA256      8         0.0023
DHE-RSA-AES128-SHA256          4         0.0011
DHE-RSA-AES256-GCM-SHA384      11        0.0031
DHE-RSA-AES256-SHA256          8         0.0023
DHE-RSA-SEED-SHA               31        0.0088
ECDHE-RSA-AES128-SHA256        82        0.0234
ECDHE-RSA-AES256-GCM-SHA384    5         0.0014
ECDHE-RSA-AES256-SHA384        43        0.0123
ECDHE-RSA-RC4-SHA              104       0.0296
IDEA-CBC-SHA                   32        0.0091
RC4-MD5                        2136      0.6086
RC4-SHA                        3518      1.0024
SEED-SHA                       32        0.0091

The obvious solution would be to enable RC4, but as we’ve established, this is not a good idea.

Firefox 29 and one more cipher

If we could enable one more cipher, it would probably be ECDHE-RSA-AES128-SHA256. Result of such change would look like this:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          219       0.0624
x:FF 29 RC4 Preferred     2705      0.7708
x:FF 29 incompatible      31        0.0088

2% change by adding just a single cipher suite!

Firefox 29 with more cipher suites

We know that when we disable RC4 we loose access to about 1% of sites. Lets see if we can decrease the number of sites that select RC4 but don’t prefer it over all other ciphers.

When we enable ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256 and DHE-RSA-AES256-SHA256 the statistics look like this:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          209       0.0596
x:FF 29 RC4 Preferred     2631      0.7497
x:FF 29 incompatible      29        0.0083

In other words, this decreases the number of sites that prefer RC4 by nearly 2%!.

Adding AES128-GCM-SHA256, AES128-SHA256 and AES256-SHA256 to the mix causes the percentage to drop further to less than 0.1%:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 RC4 Only          161       0.0459
x:FF 29 RC4 Preferred     251       0.0715
x:FF 29 incompatible      29        0.0083

Firefox 29 with more ciphers but no RC4

Removing RC4 ciphers in Firefox with this extended cipher set causes it to be incompatible with 1.04% of sites, compared to 1.08% in default configuration:

Supported Ciphers         Count     Percent
-------------------------+---------+-------
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
x:FF 29 incompatible      3648      1.0395

The cipher suites that cause this lack of compatibility:

FF 29 incompatible ciphers    Count    Percent
-----------------------------+---------+------
ADH-AES128-GCM-SHA256          1         0.0003
ADH-AES128-SHA                 10        0.0028
ADH-AES128-SHA256              1         0.0003
ADH-AES256-GCM-SHA384          1         0.0003
ADH-AES256-SHA                 10        0.0028
ADH-AES256-SHA256              1         0.0003
ADH-CAMELLIA128-SHA            1         0.0003
ADH-CAMELLIA256-SHA            1         0.0003
ADH-DES-CBC-SHA                2         0.0006
ADH-DES-CBC3-SHA               10        0.0028
ADH-RC4-MD5                    25        0.0071
ADH-SEED-SHA                   1         0.0003
AECDH-AES128-SHA               6         0.0017
AECDH-AES256-SHA               6         0.0017
AECDH-DES-CBC3-SHA             6         0.0017
AECDH-RC4-SHA                  8         0.0023
AES128-SHA256                  3         0.0009
DES-CBC-SHA                    59        0.0168
DHE-RSA-AES256-GCM-SHA384      1         0.0003
DHE-RSA-SEED-SHA               31        0.0088
ECDHE-RSA-AES256-GCM-SHA384    4         0.0011
ECDHE-RSA-RC4-SHA              94        0.0268
EDH-RSA-DES-CBC-SHA            44        0.0125
EXP-ADH-DES-CBC-SHA            1         0.0003
EXP-ADH-RC4-MD5                4         0.0011
EXP-DES-CBC-SHA                38        0.0108
EXP-EDH-RSA-DES-CBC-SHA        30        0.0085
EXP-RC2-CBC-MD5                128       0.0365
EXP-RC4-MD5                    228       0.065
IDEA-CBC-SHA                   32        0.0091
NULL-MD5                       16        0.0046
NULL-SHA                       14        0.004
NULL-SHA256                    3         0.0009
RC4-MD5                        2038      0.5807
RC4-SHA                        3398      0.9682
SEED-SHA                       32        0.0091

Summary

Enabling additional cipher suites already supported by NSS makes connections to more than 2% of sites more secure. While enabling support for them is statistically insignificant for configuration with RC4 disabled, the sites affected by it are not exactly small.

Most likely the reason for the 2% discrepancy between sites that prefer RC4 in general and that negotiate RC4 with Firefox are the servers that run old (2.2.x) versions of Apache which do not support ECDHE key exchange but do support TLSv1.2. Administrators of those servers that still consider BEAST a threat, may want to select different ciphers in TLSv1.1 and later (which makes all ciphers BEAST invulnerable) than in TLSv1.0. Unfortunately, Apache doesn’t really facilitate that, and so they are left with just putting all ciphers that require TLSv1.2 right before RC4 ciphers. Combined with the fact that Firefox supports only two cipher suites that require TLSv1.2 (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256), makes the connections in the end use RC4.

Thankfully Apache 2.2 will gain support for ECDHE so this number should fall in the future.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s