Re: [TLS] Breaking into TLS to protect customers

2018-03-22 Thread Benjamin Kaduk
[Apparently this was stuck in my 'drafts' folder; sorry if it has since become stale...] On Mon, Mar 19, 2018 at 07:20:04AM -0700, Colm MacCárthaigh wrote: > It's true that breaking open cleartext runs counter to the mission of > end-to-end TLS, but it also seems like operators are going to do it

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Eric Mill
On Mon, Mar 19, 2018 at 9:23 AM, Yoav Nir wrote: [snip] > > On 19 Mar 2018, at 7:32, Daniel Kahn Gillmor > wrote: > > So if this technology were deployed on a network where not all parties > > are mutually trusting, it would offer network users a choice between > > surveillance by the network on

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Salz, Rich
* It's difficult to speculate here about the potential impact, but isn't another possibility that it would legitimize a mass-market of such products, particularly if such capabilities were introduced into clients and browsers? That is definitely a goal. The people who are in favor of this, w

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Benjamin Kaduk
On Mon, Mar 19, 2018 at 12:22:48PM -0400, Ryan Sleevi wrote: > On Mon, Mar 19, 2018 at 10:20 AM, Colm MacCárthaigh > wrote: > > > 2/ clients and browsers could easily consider such sessions insecure by > > default. This would mean that adopters would have to deploy configurations > > and mechanis

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Benjamin Kaduk
On Mon, Mar 19, 2018 at 01:23:30PM +, Yoav Nir wrote: > Hi, Daniel > > Inline... > > > On 19 Mar 2018, at 7:32, Daniel Kahn Gillmor wrote: > > > > > > So if this technology were deployed on a network where not all parties > > are mutually trusting, it would offer network users a choice bet

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Ryan Sleevi
On Mon, Mar 19, 2018 at 10:20 AM, Colm MacCárthaigh wrote: > 2/ clients and browsers could easily consider such sessions insecure by > default. This would mean that adopters would have to deploy configurations > and mechanisms to enable this functionality, similar to - but beyond - how > private

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread R du Toit
: "tls@ietf.org" Subject: Re: [TLS] Breaking into TLS to protect customers It's true that breaking open cleartext runs counter to the mission of end-to-end TLS, but it also seems like operators are going to do it if they can. Whether by staying on plain RSA, using static-D

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Colm MacCárthaigh
It's true that breaking open cleartext runs counter to the mission of end-to-end TLS, but it also seems like operators are going to do it if they can. Whether by staying on plain RSA, using static-DH, MITM through installing a private trusted CA, or exporting session secrets, they can certainly do

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Yoav Nir
Hi, Daniel Inline... > On 19 Mar 2018, at 7:32, Daniel Kahn Gillmor wrote: > > On Thu 2018-03-15 20:10:46 +0200, Yoav Nir wrote: >>> On 15 Mar 2018, at 10:53, Ion Larranaga Azcue wrote: >>> >>> I fail to see how the current draft can be used to provide visibility >>> to an IPS system in order

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Joseph Lorenzo Hall
+1 On Mon, Mar 19, 2018 at 3:32 AM, Daniel Kahn Gillmor wrote: > On Thu 2018-03-15 20:10:46 +0200, Yoav Nir wrote: >>> On 15 Mar 2018, at 10:53, Ion Larranaga Azcue wrote: >>> >>> I fail to see how the current draft can be used to provide visibility >>> to an IPS system in order to detect bots t

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Daniel Kahn Gillmor
On Thu 2018-03-15 20:10:46 +0200, Yoav Nir wrote: >> On 15 Mar 2018, at 10:53, Ion Larranaga Azcue wrote: >> >> I fail to see how the current draft can be used to provide visibility >> to an IPS system in order to detect bots that are inside the bank… >> >> On the one hand, the bot would never o

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Matthew Ford
Hi Darin, > On 18 Mar 2018, at 16:09, Darin Pettis wrote: > > pushing this to another technology or WG isn't going to solve the current > problem in time. In time for what? Mat ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/

Re: [TLS] Breaking into TLS to protect customers

2018-03-18 Thread Eric Mill
re and insurance >> industries as well, and is not an accident. It is one of the primary >> reasons this monitoring is performed. >> >> >> >> *From:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Yoav Nir >> *Sent:* Thursday, March 15, 2018 12:58 AM >> *To:* Rich

Re: [TLS] Breaking into TLS to protect customers

2018-03-18 Thread Darin Pettis
rom:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Yoav Nir > *Sent:* Thursday, March 15, 2018 12:58 AM > *To:* Rich Salz > *Cc:* tls@ietf.org > *Subject:* Re: [TLS] Breaking into TLS to protect customers > > > > Hi, Rich. > > > > You are conflating customers

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Ackermann, Michael
12:58 AM To: Rich Salz Cc: tls@ietf.org Subject: Re: [TLS] Breaking into TLS to protect customers Hi, Rich. You are conflating customers and users. The customer that may be protected by breaking TLS in a bank’s server farm is the bank itself. An IPS system with visibility into the traffic may

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Roland Zink
Am 15.03.2018 um 17:58 schrieb Carl Mehner: On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty > wrote: > I think what Yoav is referring to by detecting BOTS within the > network, is really so called advance persistent threat (APT) actors > that are mo

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Yoav Nir
> On 15 Mar 2018, at 10:53, Ion Larranaga Azcue wrote: > > I fail to see how the current draft can be used to provide visibility to an > IPS system in order to detect bots that are inside the bank… > > On the one hand, the bot would never opt-in for visibility if it’s trying to > exfiltrate

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Ion Larranaga Azcue
> -Mensaje original- > De: Kathleen Moriarty [mailto:kathleen.moriarty.i...@gmail.com] > Enviado el: jueves, 15 de marzo de 2018 18:42 > Para: Carl Mehner > CC: Ion Larranaga Azcue ; tls@ietf.org > Asunto: Re: [TLS] Breaking into TLS to protect customers > > The e

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Kathleen Moriarty
On Thu, Mar 15, 2018 at 12:58 PM, Carl Mehner wrote: > > > On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty > wrote: >> I think what Yoav is referring to by detecting BOTS within the >> network, is really so called advance persistent threat (APT) actors >> that are moving around the internal ne

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Carl Mehner
On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty < kathleen.moriarty.i...@gmail.com> wrote: > I think what Yoav is referring to by detecting BOTS within the > network, is really so called advance persistent threat (APT) actors > that are moving around the internal network leveraging existing acce

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Kathleen Moriarty
derstood the use case altogether… > > > > > > De: TLS [mailto:tls-boun...@ietf.org] En nombre de Yoav Nir > Enviado el: jueves, 15 de marzo de 2018 5:58 > Para: Rich Salz > CC: tls@ietf.org > Asunto: Re: [TLS] Breaking into TLS to protect customers > > > >

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Salz, Rich
12:57 AM To: Rich Salz Cc: "tls@ietf.org" Subject: Re: [TLS] Breaking into TLS to protect customers Hi, Rich. You are conflating customers and users. The customer that may be protected by breaking TLS in a bank’s server farm is the bank itself. An IPS system with visibility into t

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Ion Larranaga Azcue
lowering the TLS protocol security level. Or maybe I misunderstood the use case altogether… De: TLS [mailto:tls-boun...@ietf.org] En nombre de Yoav Nir Enviado el: jueves, 15 de marzo de 2018 5:58 Para: Rich Salz CC: tls@ietf.org Asunto: Re: [TLS] Breaking into TLS to protect customers Hi, Rich

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread nalini elkins
> Are we going to discuss draft-fenter ad hoc, or we'll start a new thread dedicated to that? Because I strongly believe I also have some suggestions for that draft. Artyom, yes, as far as I am concerned at least, please start a new thread. Sorry I am getting behind on responding to all the email

Re: [TLS] Breaking into TLS to protect customers

2018-03-14 Thread Yoav Nir
Hi, Rich. You are conflating customers and users. The customer that may be protected by breaking TLS in a bank’s server farm is the bank itself. An IPS system with visibility into the traffic may detect bots that are there to steal data or mine cryptocurrencies or whatever. If the customers of

Re: [TLS] Breaking into TLS to protect customers

2018-03-14 Thread Artyom Gavrichenkov
Are we going to discuss draft-fenter ad hoc, or we'll start a new thread dedicated to that? Because I strongly believe I also have some suggestions for that draft. ср, 14 мар. 2018 г., 23:30 Salz, Rich : > Some on this list have said that they need to break into TLS in order to > protect customer