14 Apr 2014

Why does YouTube insist on weak RC4?

Submitted by blizzz
YouTube delivers video with RC4 only

A few weeks ago, Google did some changes to YouTube. Now, when you attempt to watch a video on YouTube, the video will be streamed using the RC4 cipher. If you disable RC4 in your browser, no video will be loaded. You cannot watch it. It is also documented in a Google groups thread. The first time I heard about it was when Faldrian shared his experience with googlevideo.com (German), while YouTube still worked without RC4. A bit later Google extented it on YouTube.

What's bad about RC4

RC4 is a widely used stream cipher. For instance it is used to safely transport Video or Audio by symmetric encryption. The advantages of RC4 are that is simple and fast. But it also has its drawbacks.

It is said the the RC4 cipher is cryptographically broken (=insecure) for years. Jacob Appelbaum states the NSA can break it in real time. If this is true, it is as good as no encryption. Although no proof exists in public, it seems to be very likely. If you want to be on the safe side, you disable RC4 in your browser. But you cannot disable it for certain web sites only (or only whitelist sites) – it affects all sites.

Even Microsoft recommends to stay away from RC4.

There may be good reasons for Google doing so, after all they usually reason things out before taking actions. It might have been that Google did not send their videos over an encrypted HTTP connection before (pure speculation), but now they do. Well meant is not necessarily well done. If it drives people to keep using RC4, worse security is the result. My guess is they switched all traffic to TLS encrypted connections, after certain Snowden leaks, and RC4 was the fastest and easiest to implement for video streaming.

An interesting side note is that Google filed a draft for an alternative stream cipher for TLS. The candidate is ChaCha20 by Bernstein. So maybe RC4 is just a temporary move?

So what?

I keep RC4 disabled, YouTube is not that important to me. Except for YouTube, I believe I came across only one other site that relied solely on RC4, and it was far less important, even I do not remember which one it was.

Only I wish that more people or blogs would move away from YouTube. The other major reason for this is also to go away from (centralized) services provided by companies that are too big to be good.

Bookmarklet: Search for video on other sites

Since people will not stop to link to YouTube in the near future, I need to find the video on other sites if I want to watch them. I wrote a little bookmarklet (What is a bookmarklet?) that I can click when I end up on a YouTube video. It will take the video title and start a Google video search excluding youtube.com.

Now, not every video will be available somewhere else. Bad luck. On the other hand, many videos on YouTube that are blocked in Germany can be freely seen on other sites. Interested in the bookmarklet? Drag the following "link" into your bookmarks list. Below is a quick video howto if you are new to bookmarklets and also the source code.

Find this video!
javascript:(function(){
    var title=document.getElementById('eow-title').getAttribute('title');
    var noyt='%20-site:youtube.com';
    var se='http://www.google.com/search?&tbm=vid&q=';
    window.location=se+encodeURIComponent(title+noyt);
})();

Why actually a Google search? – Mainly for ironic reasons. Most likely you can use any search engine that offers a video search if you adjust the URL and parameters. My search engine of choice is startpage.com, by the way, and I do block Google cookies.

Comments

I found viewing Youtube vids through an unencrypted proxy such as proxfree.com/youtube-proxy.php gets rid of the RC4. (Do not enable the proxy SSL.) I wonder if you can create a bookmarklet for it.

Might work, you will need to send data via POST though. Never tried that with a bookmarklet.

Thanks!

Add new comment