Re: [TLS] Breaking into TLS to protect customers

2018-03-22 Thread Benjamin Kaduk
[Apparently this was stuck in my 'drafts' folder; sorry if it has since become stale...] On Mon, Mar 19, 2018 at 07:20:04AM -0700, Colm MacCárthaigh wrote: > It's true that breaking open cleartext runs counter to the mission of > end-to-end TLS, but it also seems like operators are going to do it

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Eric Mill
On Mon, Mar 19, 2018 at 9:23 AM, Yoav Nir wrote: [snip] > > On 19 Mar 2018, at 7:32, Daniel Kahn Gillmor > wrote: > > So if this technology were deployed on a network where not all parties > > are mutually trusting, it would offer network users a

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Salz, Rich
* It's difficult to speculate here about the potential impact, but isn't another possibility that it would legitimize a mass-market of such products, particularly if such capabilities were introduced into clients and browsers? That is definitely a goal. The people who are in favor of this,

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Benjamin Kaduk
On Mon, Mar 19, 2018 at 12:22:48PM -0400, Ryan Sleevi wrote: > On Mon, Mar 19, 2018 at 10:20 AM, Colm MacCárthaigh > wrote: > > > 2/ clients and browsers could easily consider such sessions insecure by > > default. This would mean that adopters would have to deploy

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Benjamin Kaduk
On Mon, Mar 19, 2018 at 01:23:30PM +, Yoav Nir wrote: > Hi, Daniel > > Inline... > > > On 19 Mar 2018, at 7:32, Daniel Kahn Gillmor wrote: > > > > > > So if this technology were deployed on a network where not all parties > > are mutually trusting, it would offer

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Ryan Sleevi
On Mon, Mar 19, 2018 at 10:20 AM, Colm MacCárthaigh wrote: > 2/ clients and browsers could easily consider such sessions insecure by > default. This would mean that adopters would have to deploy configurations > and mechanisms to enable this functionality, similar to - but

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread R du Toit
rch 19, 2018 at 10:21 AM To: Daniel Kahn Gillmor <d...@fifthhorseman.net> Cc: "tls@ietf.org" <tls@ietf.org> Subject: Re: [TLS] Breaking into TLS to protect customers It's true that breaking open cleartext runs counter to the mission of end-to-end TLS, but it also se

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Colm MacCárthaigh
It's true that breaking open cleartext runs counter to the mission of end-to-end TLS, but it also seems like operators are going to do it if they can. Whether by staying on plain RSA, using static-DH, MITM through installing a private trusted CA, or exporting session secrets, they can certainly do

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Yoav Nir
Hi, Daniel Inline... > On 19 Mar 2018, at 7:32, Daniel Kahn Gillmor wrote: > > On Thu 2018-03-15 20:10:46 +0200, Yoav Nir wrote: >>> On 15 Mar 2018, at 10:53, Ion Larranaga Azcue wrote: >>> >>> I fail to see how the current draft can be used to

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Joseph Lorenzo Hall
+1 On Mon, Mar 19, 2018 at 3:32 AM, Daniel Kahn Gillmor wrote: > On Thu 2018-03-15 20:10:46 +0200, Yoav Nir wrote: >>> On 15 Mar 2018, at 10:53, Ion Larranaga Azcue wrote: >>> >>> I fail to see how the current draft can be used to provide visibility

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Daniel Kahn Gillmor
On Thu 2018-03-15 20:10:46 +0200, Yoav Nir wrote: >> On 15 Mar 2018, at 10:53, Ion Larranaga Azcue wrote: >> >> I fail to see how the current draft can be used to provide visibility >> to an IPS system in order to detect bots that are inside the bank… >> >> On the one hand,

Re: [TLS] Breaking into TLS to protect customers

2018-03-19 Thread Matthew Ford
Hi Darin, > On 18 Mar 2018, at 16:09, Darin Pettis wrote: > > pushing this to another technology or WG isn't going to solve the current > problem in time. In time for what? Mat ___ TLS mailing list TLS@ietf.org

Re: [TLS] Breaking into TLS to protect customers

2018-03-18 Thread Eric Mill
olds true in the health care and insurance >> industries as well, and is not an accident. It is one of the primary >> reasons this monitoring is performed. >> >> >> >> *From:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Yoav Nir >> *Sent:* Thursday

Re: [TLS] Breaking into TLS to protect customers

2018-03-18 Thread Darin Pettis
gt; > *From:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Yoav Nir > *Sent:* Thursday, March 15, 2018 12:58 AM > *To:* Rich Salz <rs...@akamai.com> > *Cc:* tls@ietf.org > *Subject:* Re: [TLS] Breaking into TLS to protect customers > > > > Hi, Rich. > > > > Y

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Ackermann, Michael
12:58 AM To: Rich Salz <rs...@akamai.com> Cc: tls@ietf.org Subject: Re: [TLS] Breaking into TLS to protect customers Hi, Rich. You are conflating customers and users. The customer that may be protected by breaking TLS in a bank’s server farm is the bank itself. An IPS system with visi

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Roland Zink
Am 15.03.2018 um 17:58 schrieb Carl Mehner: On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty > wrote: > I think what Yoav is referring to by detecting BOTS within the > network, is really so called advance

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Yoav Nir
> On 15 Mar 2018, at 10:53, Ion Larranaga Azcue wrote: > > I fail to see how the current draft can be used to provide visibility to an > IPS system in order to detect bots that are inside the bank… > > On the one hand, the bot would never opt-in for visibility if it’s

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Ion Larranaga Azcue
> -Mensaje original- > De: Kathleen Moriarty [mailto:kathleen.moriarty.i...@gmail.com] > Enviado el: jueves, 15 de marzo de 2018 18:42 > Para: Carl Mehner <c...@cem.me> > CC: Ion Larranaga Azcue <ila...@s21sec.com>; tls@ietf.org > Asunto: Re: [TLS] Breaking

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Kathleen Moriarty
On Thu, Mar 15, 2018 at 12:58 PM, Carl Mehner wrote: > > > On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty > wrote: >> I think what Yoav is referring to by detecting BOTS within the >> network, is really so called advance persistent threat (APT)

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Carl Mehner
On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty < kathleen.moriarty.i...@gmail.com> wrote: > I think what Yoav is referring to by detecting BOTS within the > network, is really so called advance persistent threat (APT) actors > that are moving around the internal network leveraging existing

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Kathleen Moriarty
r maybe I misunderstood the use case altogether… > > > > > > De: TLS [mailto:tls-boun...@ietf.org] En nombre de Yoav Nir > Enviado el: jueves, 15 de marzo de 2018 5:58 > Para: Rich Salz <rs...@akamai.com> > CC: tls@ietf.org > Asunto: Re: [TLS] Breaking i

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Salz, Rich
; Date: Thursday, March 15, 2018 at 12:57 AM To: Rich Salz <rs...@akamai.com> Cc: "tls@ietf.org" <tls@ietf.org> Subject: Re: [TLS] Breaking into TLS to protect customers Hi, Rich. You are conflating customers and users. The customer that may be protected by breaking TLS in a ba

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread Ion Larranaga Azcue
lowering the TLS protocol security level. Or maybe I misunderstood the use case altogether… De: TLS [mailto:tls-boun...@ietf.org] En nombre de Yoav Nir Enviado el: jueves, 15 de marzo de 2018 5:58 Para: Rich Salz <rs...@akamai.com> CC: tls@ietf.org Asunto: Re: [TLS] Breaking into TLS to p

Re: [TLS] Breaking into TLS to protect customers

2018-03-15 Thread nalini elkins
> Are we going to discuss draft-fenter ad hoc, or we'll start a new thread dedicated to that? Because I strongly believe I also have some suggestions for that draft. Artyom, yes, as far as I am concerned at least, please start a new thread. Sorry I am getting behind on responding to all the

Re: [TLS] Breaking into TLS to protect customers

2018-03-14 Thread Yoav Nir
Hi, Rich. You are conflating customers and users. The customer that may be protected by breaking TLS in a bank’s server farm is the bank itself. An IPS system with visibility into the traffic may detect bots that are there to steal data or mine cryptocurrencies or whatever. If the customers

Re: [TLS] Breaking into TLS to protect customers

2018-03-14 Thread Artyom Gavrichenkov
Are we going to discuss draft-fenter ad hoc, or we'll start a new thread dedicated to that? Because I strongly believe I also have some suggestions for that draft. ср, 14 мар. 2018 г., 23:30 Salz, Rich : > Some on this list have said that they need to break into TLS in order to

[TLS] Breaking into TLS to protect customers

2018-03-14 Thread Salz, Rich
Some on this list have said that they need to break into TLS in order to protect customers. The thing customers seem to need the most protection is having their personal data stolen. It seems to happen with amazing and disappointing regularity on astounding scales. Some examples include *