On 14 Jul 2017, at 8:02, Martin Thomson wrote:
Just an aside, though I think Kathleen already made this point: If I were writing malware, I would use TLS. It's pretty good at what it does and it's hard to distinguish from legitimate uses (there are some trick's suggested by McGrew's research on this point).
The bad guys make use of TLS all the time, including lateral movement within intranets.
At the point that I have sufficient control over a host that I can run my software, then I would pin certificates and the best you could do is block me. None of the advice about configuration of trust anchors (pinning, overrides, etc...) helps at that point.
Correct. Which is why it's critical in the intranet context, within a single span of administrative control, to have visibility into the actual cryptostream.
Most discussions regarding breaking TLS focus on the breaking of TLS to *prevent* malware from infesting machines.
Correct - and that's the wrong emphasis. The emphasis should be on having the ability to monitor the crypto stream within the intranet in order to detect and classify compromised machines, because that ability is used very heavily for that purpose on intranets, and has been for many years.
----------------------------------- Roland Dobbins <rdobb...@arbor.net> _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
