As some of you know, YouTube now supports one other cipher except the venerable RC4. Unfortunately this other cipher suite is not supported by currently released Firefox (but is supported by the underlying cryptographic library – NSS).
So I went and implemented a patch that allows the user to enable this other cipher suite (among others).
Side note: while compiling Firefox requires quite a few dependencies and lots of patience (not to mention few gigabytes of disk space), the process itself is really easy with all the guides available on the Mozilla developer’s network. Props to all the people responsible for this documentation and scripts!
The patch I wrote unfortunately was shot down by Brian Smith because the current goal is to push server operators to implement support for ECDHE and AES-GCM. While this is a noble goal, I’m a bit more pragmatic (or impatient if you will) and want the cipher suite selection to represent what servers do not what we want them to do.
(While I write below about Firefox 29, the same is true about current development master branch.)
Current state of Firefox 29
I took this month’s scan results and checked them against Firefox offered ciphers.
The good news: Firefox 29 cipher selection is incompatible with less than 0.01% of sites (assuming that all Internet servers are supporting at least one cipher suite that OpenSSL supports).
The bad news: its cipher selection makes the number of servers that prefer RC4 over other cipher suites larger by another 2.68% (for a total of 21.3%).
Supported Ciphers Count Percent -------------------------+---------+------- RC4 311666 88.8066 RC4 Only 3458 0.9853 RC4 Preferred 65353 18.6218 RC4 forced in TLS1.1+ 43096 12.2798 x:FF 29 RC4 Only 301 0.0858 x:FF 29 RC4 Preferred 9421 2.6844 x:FF 29 incompatible 31 0.0088
Lets look closer at the ciphers that cause some servers to be elevated to the RC4 Only state (excluding the obviously bad anonymous cipher suites or export grade):
FF 29 RC4 Only other ciphers Count Percent -----------------------------+---------+------ AES128-GCM-SHA256 49 0.014 AES128-SHA256 98 0.0279 AES256-GCM-SHA384 26 0.0074 AES256-SHA256 98 0.0279 DHE-RSA-AES128-GCM-SHA256 7 0.002 DHE-RSA-AES128-SHA256 4 0.0011 DHE-RSA-AES256-GCM-SHA384 9 0.0026 DHE-RSA-AES256-SHA256 7 0.002 DHE-RSA-SEED-SHA 31 0.0088 ECDHE-RSA-AES128-SHA256 82 0.0234 ECDHE-RSA-AES256-GCM-SHA384 2 0.0006 ECDHE-RSA-AES256-SHA384 43 0.0123 IDEA-CBC-SHA 32 0.0091 SEED-SHA 32 0.0091
We can see that most of those servers support the non ephemeral AES128-SHA256 cipher or ECDHE-RSA-AES128-SHA256. In other words, secure ciphers but slower that the AES128-SHA or ECDHE-RSA-AES128-SHA ciphers (though not necessarily less secure than them).
Now, lets take a look at the set of ciphers that cause Firefox to prefer RC4 while it’s not actually the first cipher selected by server (again, excluding the obviously bad cipher suites):
FF 29 RC4 pref other ciphers Count Percent -----------------------------+---------+------ AES128-GCM-SHA256 7935 2.261 AES128-SHA256 9212 2.6249 AES256-GCM-SHA384 7887 2.2473 AES256-SHA256 9212 2.6249 DHE-RSA-AES128-GCM-SHA256 110 0.0313 DHE-RSA-AES128-SHA256 110 0.0313 DHE-RSA-AES256-GCM-SHA384 112 0.0319 DHE-RSA-AES256-SHA256 113 0.0322 DHE-RSA-SEED-SHA 68 0.0194 ECDHE-RSA-AES128-SHA256 7050 2.0088 ECDHE-RSA-AES256-GCM-SHA384 6344 1.8077 ECDHE-RSA-AES256-SHA384 6698 1.9085 IDEA-CBC-SHA 1770 0.5043 SEED-SHA 1792 0.5106
We again see AES128-SHA256 and ECDHE-RSA-AES128-SHA256 high, additionally AES128-GCM-SHA256 and AES256-SHA256 is common and supported by NSS cryptographic library. AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384 and ECDHE-RSA-AES256-SHA384 are also common, but unsupported by NSS.
Interestingly, the sites that are unsupported by Firefox, are unsupported for a good reason:
FF 29 incompatible ciphers Count Percent -----------------------------+---------+------ ADH-AES128-SHA 8 0.0023 ADH-AES256-SHA 8 0.0023 ADH-DES-CBC3-SHA 8 0.0023 ADH-RC4-MD5 8 0.0023 AECDH-AES128-SHA 1 0.0003 AECDH-AES256-SHA 1 0.0003 AECDH-DES-CBC3-SHA 1 0.0003 AECDH-RC4-SHA 1 0.0003 DES-CBC-SHA 16 0.0046 DHE-RSA-AES128-GCM-SHA256 1 0.0003 DHE-RSA-AES256-GCM-SHA384 2 0.0006 DHE-RSA-AES256-SHA256 1 0.0003 ECDHE-RSA-AES256-GCM-SHA384 3 0.0009 EDH-RSA-DES-CBC-SHA 15 0.0043 EXP-DES-CBC-SHA 11 0.0031 EXP-EDH-RSA-DES-CBC-SHA 12 0.0034 EXP-RC2-CBC-MD5 11 0.0031 EXP-RC4-MD5 11 0.0031 NULL-MD5 4 0.0011 NULL-SHA 4 0.0011 NULL-SHA256 3 0.0009
That gives us at most 7 servers (but no less than 3 servers) that could be supported if NSS supported SHA384 as the TLSv1.2 PRF without adding any insecure cipher suites.
Firefox 29 with RC4 disabled
OK, so current cipher selection provides very good compatibility, but not security for over 20% of sites on the Internet. How this picture changes if we remove support for RC4 ciphers?
Supported Ciphers Count Percent -------------------------+---------+------- RC4 311666 88.8066 RC4 Only 3458 0.9853 RC4 Preferred 65353 18.6218 RC4 forced in TLS1.1+ 43096 12.2798 x:FF 29 incompatible 3790 1.0799
We become incompatible with just a bit over 1% of servers. Lets take a look at ciphers we can enable then to become more compatible (excluding the obvious bad choices):
FF 29 incompatible ciphers Count Percent -----------------------------+---------+------ AES128-GCM-SHA256 49 0.014 AES128-SHA256 98 0.0279 AES256-GCM-SHA384 26 0.0074 AES256-SHA256 98 0.0279 DHE-RSA-AES128-GCM-SHA256 8 0.0023 DHE-RSA-AES128-SHA256 4 0.0011 DHE-RSA-AES256-GCM-SHA384 11 0.0031 DHE-RSA-AES256-SHA256 8 0.0023 DHE-RSA-SEED-SHA 31 0.0088 ECDHE-RSA-AES128-SHA256 82 0.0234 ECDHE-RSA-AES256-GCM-SHA384 5 0.0014 ECDHE-RSA-AES256-SHA384 43 0.0123 ECDHE-RSA-RC4-SHA 104 0.0296 IDEA-CBC-SHA 32 0.0091 RC4-MD5 2136 0.6086 RC4-SHA 3518 1.0024 SEED-SHA 32 0.0091
The obvious solution would be to enable RC4, but as we’ve established, this is not a good idea.
Firefox 29 and one more cipher
If we could enable one more cipher, it would probably be ECDHE-RSA-AES128-SHA256. Result of such change would look like this:
Supported Ciphers Count Percent -------------------------+---------+------- RC4 311666 88.8066 RC4 Only 3458 0.9853 RC4 Preferred 65353 18.6218 RC4 forced in TLS1.1+ 43096 12.2798 x:FF 29 RC4 Only 219 0.0624 x:FF 29 RC4 Preferred 2705 0.7708 x:FF 29 incompatible 31 0.0088
2% change by adding just a single cipher suite!
Firefox 29 with more cipher suites
We know that when we disable RC4 we loose access to about 1% of sites. Lets see if we can decrease the number of sites that select RC4 but don’t prefer it over all other ciphers.
When we enable ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-SHA256 and DHE-RSA-AES256-SHA256 the statistics look like this:
Supported Ciphers Count Percent -------------------------+---------+------- RC4 311666 88.8066 RC4 Only 3458 0.9853 RC4 Preferred 65353 18.6218 RC4 forced in TLS1.1+ 43096 12.2798 x:FF 29 RC4 Only 209 0.0596 x:FF 29 RC4 Preferred 2631 0.7497 x:FF 29 incompatible 29 0.0083
In other words, this decreases the number of sites that prefer RC4 by nearly 2%!.
Adding AES128-GCM-SHA256, AES128-SHA256 and AES256-SHA256 to the mix causes the percentage to drop further to less than 0.1%:
Supported Ciphers Count Percent -------------------------+---------+------- RC4 311666 88.8066 RC4 Only 3458 0.9853 RC4 Preferred 65353 18.6218 RC4 forced in TLS1.1+ 43096 12.2798 x:FF 29 RC4 Only 161 0.0459 x:FF 29 RC4 Preferred 251 0.0715 x:FF 29 incompatible 29 0.0083
Firefox 29 with more ciphers but no RC4
Removing RC4 ciphers in Firefox with this extended cipher set causes it to be incompatible with 1.04% of sites, compared to 1.08% in default configuration:
Supported Ciphers Count Percent -------------------------+---------+------- RC4 311666 88.8066 RC4 Only 3458 0.9853 RC4 Preferred 65353 18.6218 RC4 forced in TLS1.1+ 43096 12.2798 x:FF 29 incompatible 3648 1.0395
The cipher suites that cause this lack of compatibility:
FF 29 incompatible ciphers Count Percent -----------------------------+---------+------ ADH-AES128-GCM-SHA256 1 0.0003 ADH-AES128-SHA 10 0.0028 ADH-AES128-SHA256 1 0.0003 ADH-AES256-GCM-SHA384 1 0.0003 ADH-AES256-SHA 10 0.0028 ADH-AES256-SHA256 1 0.0003 ADH-CAMELLIA128-SHA 1 0.0003 ADH-CAMELLIA256-SHA 1 0.0003 ADH-DES-CBC-SHA 2 0.0006 ADH-DES-CBC3-SHA 10 0.0028 ADH-RC4-MD5 25 0.0071 ADH-SEED-SHA 1 0.0003 AECDH-AES128-SHA 6 0.0017 AECDH-AES256-SHA 6 0.0017 AECDH-DES-CBC3-SHA 6 0.0017 AECDH-RC4-SHA 8 0.0023 AES128-SHA256 3 0.0009 DES-CBC-SHA 59 0.0168 DHE-RSA-AES256-GCM-SHA384 1 0.0003 DHE-RSA-SEED-SHA 31 0.0088 ECDHE-RSA-AES256-GCM-SHA384 4 0.0011 ECDHE-RSA-RC4-SHA 94 0.0268 EDH-RSA-DES-CBC-SHA 44 0.0125 EXP-ADH-DES-CBC-SHA 1 0.0003 EXP-ADH-RC4-MD5 4 0.0011 EXP-DES-CBC-SHA 38 0.0108 EXP-EDH-RSA-DES-CBC-SHA 30 0.0085 EXP-RC2-CBC-MD5 128 0.0365 EXP-RC4-MD5 228 0.065 IDEA-CBC-SHA 32 0.0091 NULL-MD5 16 0.0046 NULL-SHA 14 0.004 NULL-SHA256 3 0.0009 RC4-MD5 2038 0.5807 RC4-SHA 3398 0.9682 SEED-SHA 32 0.0091
Summary
Enabling additional cipher suites already supported by NSS makes connections to more than 2% of sites more secure. While enabling support for them is statistically insignificant for configuration with RC4 disabled, the sites affected by it are not exactly small.
Most likely the reason for the 2% discrepancy between sites that prefer RC4 in general and that negotiate RC4 with Firefox are the servers that run old (2.2.x) versions of Apache which do not support ECDHE key exchange but do support TLSv1.2. Administrators of those servers that still consider BEAST a threat, may want to select different ciphers in TLSv1.1 and later (which makes all ciphers BEAST invulnerable) than in TLSv1.0. Unfortunately, Apache doesn’t really facilitate that, and so they are left with just putting all ciphers that require TLSv1.2 right before RC4 ciphers. Combined with the fact that Firefox supports only two cipher suites that require TLSv1.2 (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256), makes the connections in the end use RC4.
Thankfully Apache 2.2 will gain support for ECDHE so this number should fall in the future.
securitypitfalls 
