veyron/runtimes/google/ipc/stream/crypto: Update comment.
Update comment about use of RC4 so that we don't seem completely
out of touch to readers.
Change-Id: If6ef3c5c723aee1271917d503460417478c890a8
diff --git a/runtimes/google/ipc/stream/crypto/tls.go b/runtimes/google/ipc/stream/crypto/tls.go
index c791ac0..df0ea97 100644
--- a/runtimes/google/ipc/stream/crypto/tls.go
+++ b/runtimes/google/ipc/stream/crypto/tls.go
@@ -207,10 +207,12 @@
SessionTicketsDisabled: true,
Certificates: []tls.Certificate{c},
InsecureSkipVerify: true,
- // RC4_128_SHA is 4-5X faster compared to the other cipher suites
- // and is what google.com seems to use.
- // Allowing ECDHE_RSA for the key exchange since some older binaries
- // have an RSA certificate hardcoded in them.
+ // RC4_128_SHA is 4-5X faster compared to the other cipher suites.
+ // There are concerns with its security (see http://en.wikipedia.org/wiki/RC4 and
+ // https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/alFardan),
+ // so this decision will be revisted.
+ // TODO(ashankar,ataly): Figure out what cipher to use and how to
+ // have a speedy Go implementation of it.
CipherSuites: []uint16{tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA},
}
}
