Re: [TLS] The future devices that will break TLS 1.4

[Hubert Kario]

On Saturday, 13 January 2018 03:31:23 CET Christian Huitema wrote:
> On 1/12/2018 1:53 PM, Dan Wing wrote:
> > The question I want to ask: What can we do *now* to stop this from
> > happening when TLS 1.4 will be deployed? I have the feeling GREASE
> > won't be enough...
> 
> Data sets. Machine learning algorithms are trained with data sets. If we
> produce reference data sets showing what TLS 1.4 looks like, the vendors
> can retrain their AI and start recognizing the new version for what it
> is, rather than some unknown attack.

doesn't help with already deployed gear, and we really can't predict how TLS 
1.4 will look like to give examples of it to them right now
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] The future devices that will break TLS 1.4

[Martin Thomson]

The research that this is built on isn't especially new:
https://arxiv.org/abs/1607.01639

The interesting observation in that paper is that the results are
obtained only from the subset of malware that uses its own TLS
configuration.  Those that used the Windows stack in a default
configuration were removed from consideration.  Now, it's possible
that things have improved since that paper, but it suggests the
presence of a gap that we might exploit.  So I'm not so down on
GREASE.

On Sat, Jan 13, 2018 at 10:02 AM, Hanno Böck  wrote:
> Hi,
>
> This working group just went through a painful process of realizing
> that deploying a new TLS version on the Internet is a hard task due to
> broken devices. If you're not aware David Benjamin just gave a great
> talk summarizing the issues:
> https://www.youtube.com/watch?v=_mE_JmwFi1Y
>
> Today I found this article:
> https://www.theregister.co.uk/2018/01/11/cisco_sniff_malware_inside_encrypted_traffic/
>
> tl;dr Cisco now says they can identify malware in TLS traffic by
> carefully looking at it.
> (For context: devices from Cisco were responsible for many of the
> issues that made deploying TLS 1.3 hard, e.g. version intolerance on
> load balancers and recently by not correctly terminating TLS in a
> firewall.)
>
>
> I'll dare to have a look into the future and make this imho very
> plausible claim:
> Cisco won't be the only vendor selling such things. We will see more
> products that magically can identify "bad things" in TLS traffic by
> applying everything from AI to Blockchain.
> We will almost certainly see a whole new generation of devices doing
> weirdness with TLS and who will drop or manipulate packages that contain
> things they don't know (like... a version negotiation field with TLS
> 1.4 or a large post quantum key exchange message).
>
> The question I want to ask: What can we do *now* to stop this from
> happening when TLS 1.4 will be deployed? I have the feeling GREASE
> won't be enough...
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: ha...@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] The future devices that will break TLS 1.4

[Tony Arcieri]

On Sat, Jan 13, 2018 at 12:02 AM, Hanno Böck  wrote:
>
> The question I want to ask: What can we do *now* to stop this from
> happening when TLS 1.4 will be deployed? I have the feeling GREASE
> won't be enough...


Sidebar: TLS 4 ;)

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] The future devices that will break TLS 1.4

[Christian Huitema]

On 1/12/2018 1:53 PM, Dan Wing wrote:
> I'll dare to have a look into the future and make this imho very
> plausible claim:
> Cisco won't be the only vendor selling such things. We will see more
> products that magically can identify "bad things" in TLS traffic by
> applying everything from AI to Blockchain.

Well, of course we will see such products. We know that it is possible
to do a lot of pattern recognition based on properties of the encrypted
traffic, as well as clear text parts of the headers. And we also know
that there are lots of network managers that want to understand what's
happening in their networks. The kind of products shown here seems
rather preferable to the previous generation of products that required
breaking the encryption.

> We will almost certainly see a whole new generation of devices doing
> weirdness with TLS and who will drop or manipulate packages that contain
> things they don't know (like... a version negotiation field with TLS
> 1.4 or a large post quantum key exchange message).

That's the general problem with machine learning. The attackers will be
learning too, and will try to tweak their traffic until it looks
innocuous. As attackers do that, filters will try to catch them, and the
chances for "false positive" are going to increase.

> The question I want to ask: What can we do *now* to stop this from
> happening when TLS 1.4 will be deployed? I have the feeling GREASE
> won't be enough...

Data sets. Machine learning algorithms are trained with data sets. If we
produce reference data sets showing what TLS 1.4 looks like, the vendors
can retrain their AI and start recognizing the new version for what it
is, rather than some unknown attack.

-- Christian Huitema


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] The future devices that will break TLS 1.4

[Hanno Böck]

On Fri, 12 Jan 2018 15:53:05 -0800
Dan Wing  wrote:

> Those bugs that interfere with TLS handshakes are un-related to
> Cisco's Encrypted Traffic Analytics ("ETA").  Different technologies.

I haven't claimed that.

I just think it's very plausible to assume that a company that
already created two independent problems for TLS 1.3 will do the same in
future products that mess with TLS in "new and exciting ways".

And for the unlikely case that Cisco is able to learn from past mistakes
I'm absolutely sure there will be others creating similar products that
won't.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] The future devices that will break TLS 1.4

[Dan Wing]

On Jan 12, 2018, at 3:02 PM, Hanno Böck  wrote:
> 
> Hi,
> 
> This working group just went through a painful process of realizing
> that deploying a new TLS version on the Internet is a hard task due to
> broken devices. If you're not aware David Benjamin just gave a great
> talk summarizing the issues:
> https://www.youtube.com/watch?v=_mE_JmwFi1Y
> 
> Today I found this article:
> https://www.theregister.co.uk/2018/01/11/cisco_sniff_malware_inside_encrypted_traffic/
> 
> tl;dr Cisco now says they can identify malware in TLS traffic by
> carefully looking at it.
> (For context: devices from Cisco were responsible for many of the
> issues that made deploying TLS 1.3 hard, e.g. version intolerance on
> load balancers and recently by not correctly terminating TLS in a
> firewall.)

Those bugs that interfere with TLS handshakes are un-related to Cisco's 
Encrypted Traffic Analytics ("ETA").  Different technologies.

-d


> I'll dare to have a look into the future and make this imho very
> plausible claim:
> Cisco won't be the only vendor selling such things. We will see more
> products that magically can identify "bad things" in TLS traffic by
> applying everything from AI to Blockchain.
> We will almost certainly see a whole new generation of devices doing
> weirdness with TLS and who will drop or manipulate packages that contain
> things they don't know (like... a version negotiation field with TLS
> 1.4 or a large post quantum key exchange message).
> 
> The question I want to ask: What can we do *now* to stop this from
> happening when TLS 1.4 will be deployed? I have the feeling GREASE
> won't be enough...
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: ha...@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
> 
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] The future devices that will break TLS 1.4

[Hanno Böck]

Hi,

This working group just went through a painful process of realizing
that deploying a new TLS version on the Internet is a hard task due to
broken devices. If you're not aware David Benjamin just gave a great
talk summarizing the issues:
https://www.youtube.com/watch?v=_mE_JmwFi1Y

Today I found this article:
https://www.theregister.co.uk/2018/01/11/cisco_sniff_malware_inside_encrypted_traffic/

tl;dr Cisco now says they can identify malware in TLS traffic by
carefully looking at it.
(For context: devices from Cisco were responsible for many of the
issues that made deploying TLS 1.3 hard, e.g. version intolerance on
load balancers and recently by not correctly terminating TLS in a
firewall.)


I'll dare to have a look into the future and make this imho very
plausible claim:
Cisco won't be the only vendor selling such things. We will see more
products that magically can identify "bad things" in TLS traffic by
applying everything from AI to Blockchain.
We will almost certainly see a whole new generation of devices doing
weirdness with TLS and who will drop or manipulate packages that contain
things they don't know (like... a version negotiation field with TLS
1.4 or a large post quantum key exchange message).

The question I want to ask: What can we do *now* to stop this from
happening when TLS 1.4 will be deployed? I have the feeling GREASE
won't be enough...

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls