On 1/12/2018 1:53 PM, Dan Wing wrote: > I'll dare to have a look into the future and make this imho very > plausible claim: > Cisco won't be the only vendor selling such things. We will see more > products that magically can identify "bad things" in TLS traffic by > applying everything from AI to Blockchain.
Well, of course we will see such products. We know that it is possible to do a lot of pattern recognition based on properties of the encrypted traffic, as well as clear text parts of the headers. And we also know that there are lots of network managers that want to understand what's happening in their networks. The kind of products shown here seems rather preferable to the previous generation of products that required breaking the encryption. > We will almost certainly see a whole new generation of devices doing > weirdness with TLS and who will drop or manipulate packages that contain > things they don't know (like... a version negotiation field with TLS > 1.4 or a large post quantum key exchange message). That's the general problem with machine learning. The attackers will be learning too, and will try to tweak their traffic until it looks innocuous. As attackers do that, filters will try to catch them, and the chances for "false positive" are going to increase. > The question I want to ask: What can we do *now* to stop this from > happening when TLS 1.4 will be deployed? I have the feeling GREASE > won't be enough... Data sets. Machine learning algorithms are trained with data sets. If we produce reference data sets showing what TLS 1.4 looks like, the vendors can retrain their AI and start recognizing the new version for what it is, rather than some unknown attack. -- Christian Huitema
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
