On 12 July 2017 at 09:59, Steve Fenter <steven.fente...@gmail.com> wrote: >> And if you had one an estimate for how much malware does it's own >> obfuscation or home-grown crypto in addition or instead of using TLS. >> The reason to ask is that as soon as malware does that then you >> are back to analysis based on ciphertext only. From descriptions >> of advanced attack schemes, they do seem to do both when calling >> home or exfiltrating data. In which case I think your argument >> falls. > > I don't have any numbers for home-grown crypto. I would think the odds are > better for the enterprise if they can decrypt and inspect whatever portion is > TLS.
Wouldn't malware avoid connecting to servers that offer the wrong credentials? Implementing elementary key pinning or overriding trust anchors is pretty trivial - it's a feature that enterprises frequently rely on after all. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
