> In 2007, Dan Shumow and Niels Ferguson discussed about the > possibility of a backdoor in a Dual Elliptic Curve pseudorandom > number generator [Rump].
I'm not sure how this paragraph is relevant to the rest of the draft. You only discuss the use of encryption, not particular schemes. > Entities exchanging traffic over the Internet should assume that any > traffic which is not encrypted will be intercepted given that peeking > is irresistible. This should probably be re-worded to be something like "any traffic which is not encrypted should be assumed to be compromised". Let's be honest, they're not capturing and storing every single bit of traffic, they definitely don't have the capacity for that. > The Hypertext Transfer Protocol (HTTP) [RFC2616] is widely used to > access the web. The protocol is sometimes used to provide web access > to email. Section 15 of RFC 2616 [RFC2616] does not provide any > guidance about encrypting the traffic generated by the protocol. This is currently being discussed by httpbis[1] and any discussion related to the use of encryption with HTTP should be had there. The other protocols will be discussed by the new uta (Using TLS in Applications) working group[2]. Other bits in general, there's a lot of talking about state sponsered surveillence, but there are other problems too. Botnets with nodes operating behind firewalls can sniff the wires, rouge sysadmins, anyone who can poison BGP tables, etc. Encryption is also only half the solution, the other half is authentication as if you're sending your data encrypted straight to the NSA while they MitM you, you've solved nothing. Given that one of the stated tasks for the uta working group is: "- Specify a set of best practices for TLS clients and servers, including but not limited to recommended versions of TLS, using forward secrecy, and one or more ciphersuites and extensions that are mandatory to implement." I believe that this draft would be more suited to be being discussed there. Iain. [1]: http://datatracker.ietf.org/wg/httpbis/charter/ [2]: http://datatracker.ietf.org/wg/uta/charter/ -- Iain R. Learmonth MBCS Electronics Research Group School of Engineering University of Aberdeen Kings College Aberdeen AB24 3UE Tel: +44 1224 27 2799 The University of Aberdeen is a charity registered in Scotland No.SCO13683 ________________________________________ From: perpass <[email protected]> on behalf of S Moonesamy <[email protected]> Sent: 24 November 2013 20:29 To: [email protected] Subject: [perpass] Traffic peeking Hello, I posted a draft about traffic peeking [1]. Comments are welcome. Regards, S. Moonesamy 1. http://tools.ietf.org/html/draft-moonesamy-traffic-peeking-00 _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
