Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Mon, 17 Jul 2017 03:43:13 -0700 

On 15 Jul 2017, at 3:40, Watson Ladd wrote:


DDoS mitigation can be done at endpoints


Not at scale.  That's why it isn't done that way.


I'm all in favor of things like mod_security.  But they can't do the 
heavy lifting on boxes which are already burdened by handling legitimate 
traffic.



If you want to detect unauthorized access to a resource, having the 
resource which

determines access anyway log that is enough.

This is incorrect.


Exfiltration detection based on looking for sensitive identifiers 
doesn't work:


Yes, it does.  I know, because I've done it.


real attackers will encrypt the data and dribble it out slowly or 
pretend to be videoconferencing.



Believe me, real attackers do all kinds of things - and the most common 
exfiltration mechanism is to try and get lost in the http/s crowd.



As for attack surface why is "Press here to get plaintex of 
everything" not a major, major increase in attackability?



Because these are intranet-only systems on isolated management networks 
with strong access controls.



Which DDoS attacks specifically?


Among others, application-layer DDoS attacks within the cryptostream.


And if the traffic isn't hitting endpoints, does it matter?


Of course it matters.

I've not personally had the pleasure of doing this, but I
know it is possible because it is done every day.


Finally, most software can export the secrets from TLS connections to 
a file.



Logs are context-free and in no wise have the same value as being able 
to see the interactive traffic on the network in real-time.



The capacity being asked for already exists.



Yes - and now folks are talking about arbitrarily taking this capability 
away without understanding its criticality to network operations, 
troubleshooting, and security.



The fact that we're even having this discussion at this point in time is 
because of an astounding lack of due diligence on the part of those who 
are pushing to remove the capability to monitor standards-based 
encrypted traffic on intranets.


-----------------------------------
Roland Dobbins <rdobb...@arbor.net>

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


























					Reply via email to