[Cryptography] RC4 again (actual security, scalability and other discussion)
ianG
iang at iang.org
Mon Mar 10 06:25:19 EDT 2014
On 10/03/2014 06:36 am, Tom Mitchell wrote:
> I only say this because when folk run from something (driven by FUD) they
> tend to herd like lemmings and too many fall of the cliff.
>
> In my mind the single problem with encryption is that it
> is not used enough. There are now two classes of messages
> flowing and the minority by far is encrypted.
Yup. We would have been better off if they'd stuck to 40 bit crypto in
1994 and covered 100% of the web. It's relatively easy to upgrade from
40 bit to 128 bit. It's a real pig to upgrade from 0 bit to 40 bit.
But you can't tell a standards group or a committee or a cypherpunk or a
vendor or any other cartel things like that.
Imagine going to PKIX and saying "oh, RC4 is fine, but can you make SSL
opportunistic and phase out HTTP in favour of HTTPS, please? Pretty
please?"
iang
ps; I agree with replacing RC4 wherever it is seen. It's where it is
not seen I get upset about.
More information about the cryptography
mailing list