Olle, On Oct 23, 2014, at 2:50 AM, Olle E Johansson <[email protected]<mailto:[email protected]>> wrote:
I get a lot of worried questions much like: "Then we can't use wireshark" when I talk about crypto. That needs to be adressed too. Yes, this was part of the context in which the topic came up for me. As I've talked about the idea of adding TLS to more applications (and pointed people to the work happening here in UTA) I've had responses from network operators generally fall in three camps: 1. "Wait! If application developers run everything over TLS, all we'll see are TLS-encrypted streams. We won't be able to see into the traffic and manage our network appropriately." 2. "That's cool! That will make the Internet more secure for our customers. What can we do to help make TLS flow through our network better?" 3. "That's nice" ... as the eyes glaze over because we're talking about something higher than layer 3 and they want to go back to talking about IPv6 or BGP... For the folks in #1 I don't know that there really is an easy answer other than "you're right... TLS makes the kind of probably benign monitoring you want to do harder, because the goal is to prevent the kind of malicious monitoring being done by attackers." While "Sorry, deal with it" isn't a great response, I'm not sure how we answer that otherwise. (And I'd love to hear suggestions!) It's the folks in #2 I'm interested in (because those in #3 just don't care). Someone pointed me to these sites: * https://bettercrypto.org<https://bettercrypto.org/> * https://wiki.mozilla.org/Security/Server_Side_TLS ... both of which are useful to network operators / sys admins for configuring their servers and systems to use TLS. Part of me is wondering if there is guidance out there somewhere for how configure firewalls and other network edge devices to best support TLS... but maybe that guidance just comes down to "don't block TLS-encrypted streams!" Dan -- Dan York Senior Content Strategist, Internet Society [email protected]<mailto:[email protected]> +1-802-735-1624 Jabber: [email protected]<mailto:[email protected]> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
