On Jan 12, 2018, at 3:02 PM, Hanno Böck <ha...@hboeck.de> wrote: > > Hi, > > This working group just went through a painful process of realizing > that deploying a new TLS version on the Internet is a hard task due to > broken devices. If you're not aware David Benjamin just gave a great > talk summarizing the issues: > https://www.youtube.com/watch?v=_mE_JmwFi1Y > > Today I found this article: > https://www.theregister.co.uk/2018/01/11/cisco_sniff_malware_inside_encrypted_traffic/ > > tl;dr Cisco now says they can identify malware in TLS traffic by > carefully looking at it. > (For context: devices from Cisco were responsible for many of the > issues that made deploying TLS 1.3 hard, e.g. version intolerance on > load balancers and recently by not correctly terminating TLS in a > firewall.)
Those bugs that interfere with TLS handshakes are un-related to Cisco's Encrypted Traffic Analytics ("ETA"). Different technologies. -d > I'll dare to have a look into the future and make this imho very > plausible claim: > Cisco won't be the only vendor selling such things. We will see more > products that magically can identify "bad things" in TLS traffic by > applying everything from AI to Blockchain. > We will almost certainly see a whole new generation of devices doing > weirdness with TLS and who will drop or manipulate packages that contain > things they don't know (like... a version negotiation field with TLS > 1.4 or a large post quantum key exchange message). > > The question I want to ask: What can we do *now* to stop this from > happening when TLS 1.4 will be deployed? I have the feeling GREASE > won't be enough... > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls