-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 14 October 2014 12:59:48 BST, Ralph Holz <[email protected]> wrote:
>On the second point - I am not quite so sure we should call it an attack. >In my experience, there are quite a few companies that use these boxes for >entirely legitimate reasons - Quite a few nation state attackers that have actually deployed them widely would no doubt argue their use is also legitimate, likely for the prevention of terror, disharmony, and other bogeymen. Regardless of the intentions behind their use, MITM proxies do subvert the security properties of TLS as designed and deployed, and are thus correctly regarded as an attack in the general sense. I think it should absolutely be described as such. >especially in the context of industrial espionage. TLS interception proxies are indeed useful in that context: they present an extraordinarily attractive vector for an attacker, especially when a target has willingly deployed one and expects to see it in normal use. I contend that they are not as useful for counter-espionage as some may think, especially given the additional threat they pose. Informed, consenting people could instead grant permissions on the endpoints to someone wishing to audit traffic (such as an antivirus utility), and this is the best place to perform scans as presumably legitimate users have legitimate admin rights and this does not affect the design or deployment of TLS. Also of course in most deployments, both ends have not provided consent, which is worth bearing in mind in some contexts. Anyone who's deployed one of these TLS interception middleboxes should perhaps take the opportunity to re-examine and test their assumptions about their usefulness, necessity, and their security. I would probably recommend they SHOULD NOT be used - there may be a valid reason in a specific deployment, but the risks should be weighed up and normally I feel this introduces more risk than it eliminates. To the extent it is accepted practice, I feel that is a problem. - -- /akr -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQI3BAEBCgAhBQJUPRloGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE jtkWi2t6MXkP/jlMWk9jsqY2c1zTPDiZ5dDccXRIBt45NRr6sHdu/11+SyoOPoYM 6wvwDAmNSvaa+o25A7Ez9nCKkQVPnNcXC3dLzfXXKBCH4bVuu5ZGzKyGRwF8zsrf +AeWOfI+qiwyZADN8/r39XX8dtpUTtReCVy+fSkez2YuXpOypFoL43JnbMrkz0hL BrNNUclxQDsfU+1NYoYEGF1i/NMKpbaH/a/MWzvE6Pj6kZE7RBJZh9HW56UerpZB TlHCPQW8kJAGIL6k6cUXBf/BeqrrlMIo5f2zB7QYYno+e5eUZwltuBLvoph7L0vN TLSvTRI08Ozd2gCvIRRL1C/Gw/BiMQVKO5EuxI/mGPr+6jRSQacYL6Kefapbd29r 2ffYAprfwCbf1FUWsArHvBhwCnXnBvcBDHD8Zz91GCBLcfU6W4oamomJJj9RqTMV 6aT4Fgv+Xcs+B49wIQCwmsfPjaNrUTAQ14fNz7NnADPogfkFIRDqMj6a2bOETX8P L0qo1JnCPSbWD1l0Amrx6/b6elCU5aeqzvng9Quxk87DaO66O7sSIPs8xA1a+WCV 7rvfytFbhFi4kkzrbLxsQPSwdNW/0v0Zb0LG8Ft79vh1Y/RwydKaK2oYJigDfnBj 45TBFjOM60qhpp0CsTWDO7d22UuS6hzk/biaSxSYchzZ+YFd5uTGbmqV =v9Ln -----END PGP SIGNATURE----- _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
