On 26/04/2015 20:31 pm, Jana Iyengar wrote:
Hmm ... This seems like a potential rathole. This is a MITM attack
(though I don't understand it fully), and TCPINC is expressly not
protecting against such attacks, right?
Precisely. Opportunistic security does not, should not and cannot
protect against all attacks; in this case, TCPINC doesn't protect
against a direct MITM and would not have necessarily change the nature
of the attach described in that post.
The debate that forms around this nexus is whether to protect against
some active attacks, knowing that we cannot stop all active attacks.
I may still not understand the
value proposition of TCPINC,
There are approximately three mode of attack in the TCPINC/OS worldview:
1. easy attack: passive surveillance.
2. mild attack: MITM against Opportunistic Security protocol eg TCPINC
3. heavy attack: bypass against a strong protocol like TLS.
TCPINC knocks out 1. Huge win, because this is going on right now at
Internet scale, and not only by NSA and China but also by every modern
data-mining ISP.
TCPINC fails against 2. But it makes it possible to detect - which is a
win. Not necessarily easy, but as implementations advance they will
provide better diagnostics, and devs and sysadms will watch for the
signs. It is this result that the original post highlights -- they saw
signs, they tracked it down and announced some form of attack.
TCPINC fails completely against 3, but TLS succeeds, which forces the
attacker to use other "bypass" attacks which are more expensive and more
detectable (hopefully). The point here is that the information found in
2 will increase the incentive to employ stronger security overall. More
information leading to clearer incentive is a win.
In a nutshell, the game is to force the attacker to at least MITM us,
because then he's out in the open, visible.
but that would be a different thread on a
different list, I think. This attack, as several other attacks are
bound to be, seems to be out of scope for this wg.
Yeah, in the large, this is a topic for a different list/thread. But
the small direct link is that it is a very nice example [0] of what we
are facing when we deal with the net overall.
iang
[0] there is some criticism elsewhere that the story is not accurate,
that the attack was simply a bug in browsers.
On Sunday, 26 April 2015, John Border <[email protected]
<javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote:
Privacy
-----Original Message-----
From: Tcpinc [mailto:[email protected]] On Behalf Of Christian
Huitema
Sent: Sunday, April 26, 2015 2:37 PM
To: ianG; [email protected]
Subject: Re: [tcpinc] Internet-scale attack on TLS
> An attack on TCP/TLS has now been detected at broad scale, and traced
> back to the bug responsible (client-side Heartbleed) and the probable
> attacker (agency with massive pipe access, e.g. NSA).
>
> This attack more fully informs the reason for the existence of the
> group. It less directly informs the technical solutions, and indeed
> might just cause confusion as there is room for both sides to
claim "I
> told you so!" :)
+1.
What is the value of TCP-INC if it cannot defend against packet
injection attacks?
-- Christian Huitema
>
>
> http://cryptome.org/2015/04/goodcrypto-attacked.htm
>
> ... In early 2015 people were still downloading our ISO file for
> GoodCrypto. But suddenly installations stopped.
>
> After a lot of checking we noticed that the downloads got HTTP 200
> result codes, but the lengths were all too short. This isn't supposed
> to happen. A 200 result means success. These weren't successful
> downloads, but the web logs said they were. Ordinary log checks
didn't
> show the bug. ...
>
> _______________________________________________
> Tcpinc mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/tcpinc
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
