On Wednesday 02 December 2015 12:59:12 Jacob Appelbaum wrote: > On 12/2/15, Yoav Nir <ynir.i...@gmail.com> wrote: > >> On 2 Dec 2015, at 1:38 PM, Jacob Appelbaum <ja...@appelbaum.net> > >> wrote:>> > >> On 12/1/15, Yoav Nir <ynir.i...@gmail.com> wrote: > >>>> Which would those be? And what is the definition of > >>>> capital-intensive > >>>> for those watching on the sidelines? > >>> > >>> Firewall, IPS/IDS devices. Boxes that attempt to perform > >>> sanity-check on protocols to make sure that the stuff going over > >>> TCP port 443 is really HTTPS rather than an attempt at tunneling. > >>> There are some attacks such the > >>> the code that protects against them needs to follow TLS record > >>> sizes. > >>> For > >>> the most part these are not-so-interesting attacks, causing > >>> certain > >>> versions > >>> of certain browsers to hang, and they are expensive for the > >>> firewall to protect against, so for the most part these > >>> protections are turned off. But > >>> it’s not everywhere. > >> > >> Could you be more specific? Which devices are we saying will break? > >> Do you have model numbers? Are those vendors on this list? Do they > >> agree that this will break and do we agree that they are a > >> relevant stakeholder who has a user's security in mind? > > > > I am no expert on middleboxes. I know a little about those that my > > employer (Check Point) makes. I only know a little, because I’m on > > the VPN side of things, not the IDS/IPS/next generation firewall > > side. > > I don't think we should worry about breaking poor little Check Point's > traffic analysis devices. Allow me to shift the overton window: their > device is a problem and we should treat it as a problem on the > network. TLS should mitigate as many of the advantages that they use > to harm end users. We should make those devices use as much RAM and > as much disk space and as much CPU time as possible. In the words of > a Google engineer who discovered the NSA had been doing traffic > analysis on his backbone...
Problem is that users care for the cat macros and wedding pictures on their social network of choice. If the old version of browser works or an other browser works then it /obviously/ is the new browsers fault that the connection fails so it's the /new/ browser that is broken. So the browser vendor implements out-of-protocol fallback to old protocol version so that it continues to work. That's a Bad Thing. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
