To add to Ted's clarification requests: On 11/07/17 19:39, Steve Fenter wrote: > Network security monitoring is not just monitoring traffic that > results from communications with customers and partners. All it > takes is for one user to click on a phishing email and there is > malware inside the enterprise. Once this happens, TLS becomes the > enemy, because 30% of malware is TLS encrypted, and any TLS features > intended to thwart payload inspection work against the enterprise.
I'd appreciate a citation for that 30% figure. And if you had one an estimate for how much malware does it's own obfuscation or home-grown crypto in addition or instead of using TLS. The reason to ask is that as soon as malware does that then you are back to analysis based on ciphertext only. From descriptions of advanced attack schemes, they do seem to do both when calling home or exfiltrating data. In which case I think your argument falls. > Malware does not always phone home out to the Internet on day 1 of > infection. In what circumstance will malware phone home to a TLS server that is playing your wiretap game? That seems utterly illogical but maybe I'm missing a reason why someone's malware will use TLS to talk to a server that is controlled by the victim network as part of phoning home. Please clarify. S.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
