The research that this is built on isn't especially new: https://arxiv.org/abs/1607.01639
The interesting observation in that paper is that the results are obtained only from the subset of malware that uses its own TLS configuration. Those that used the Windows stack in a default configuration were removed from consideration. Now, it's possible that things have improved since that paper, but it suggests the presence of a gap that we might exploit. So I'm not so down on GREASE. On Sat, Jan 13, 2018 at 10:02 AM, Hanno Böck <ha...@hboeck.de> wrote: > Hi, > > This working group just went through a painful process of realizing > that deploying a new TLS version on the Internet is a hard task due to > broken devices. If you're not aware David Benjamin just gave a great > talk summarizing the issues: > https://www.youtube.com/watch?v=_mE_JmwFi1Y > > Today I found this article: > https://www.theregister.co.uk/2018/01/11/cisco_sniff_malware_inside_encrypted_traffic/ > > tl;dr Cisco now says they can identify malware in TLS traffic by > carefully looking at it. > (For context: devices from Cisco were responsible for many of the > issues that made deploying TLS 1.3 hard, e.g. version intolerance on > load balancers and recently by not correctly terminating TLS in a > firewall.) > > > I'll dare to have a look into the future and make this imho very > plausible claim: > Cisco won't be the only vendor selling such things. We will see more > products that magically can identify "bad things" in TLS traffic by > applying everything from AI to Blockchain. > We will almost certainly see a whole new generation of devices doing > weirdness with TLS and who will drop or manipulate packages that contain > things they don't know (like... a version negotiation field with TLS > 1.4 or a large post quantum key exchange message). > > The question I want to ask: What can we do *now* to stop this from > happening when TLS 1.4 will be deployed? I have the feeling GREASE > won't be enough... > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
