Re: [saag] Is opportunistic unauthenticated encryption a waste of time?

joel jaeggli <joelja@bogus.com> Sun, 24 August 2014 20:42 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90131A883C; Sun, 24 Aug 2014 13:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level:
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztFpq9EYVCrn; Sun, 24 Aug 2014 13:42:25 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A6681A87A2; Sun, 24 Aug 2014 13:42:25 -0700 (PDT)
Received: from mb-aye.local (c-67-188-0-113.hsd1.ca.comcast.net [67.188.0.113]) (authenticated bits=0) by nagasaki.bogus.com (8.14.7/8.14.7) with ESMTP id s7OKgIDt016541 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 24 Aug 2014 20:42:19 GMT (envelope-from joelja@bogus.com)
Message-ID: <53FA4E25.6070700@bogus.com>
Date: Sun, 24 Aug 2014 13:42:13 -0700
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Thunderbird/32.0
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>, Bernard Aboba <bernard_aboba@hotmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Nico Williams <nico@cryptonector.com>
Subject: Re: [saag] Is opportunistic unauthenticated encryption a waste of time?
References: <53F548E5.2070208@cs.tcd.ie>, <53F54F1C.1060405@dcrocker.net>, <53F5D303.1090400@cs.tcd.ie>, <CAMm+LwhmJpnU8E9ifA47baneGB=qjHzU_cy+wepPYLXrOhB+Pg@mail.gmail.com>, <20140821160402.GT14392@mournblade.imrryr.org>, <f5d8b5dc37b84f709c8f2df7c7a69daf@AMSPR06MB439.eurprd06.prod.outlook.com>, <CAK3OfOgZzoXVnrE8Nbs6mwN2xD_snbzH9jT8TsYOVt8UASahYQ@mail.gmail.com>, <a354d63505924d76a15b505e60e27a16@AMSPR06MB439.eurprd06.prod.outlook.com>, <20140822140000.GE14392@mournblade.imrryr.org>, <BLU181-W84354FE6BEF12305A2A7DB93D10@phx.gbl>, <20140823040550.GQ5909@localhost> <BLU181-W307B52819C577693183E2D93D10@phx.gbl>, <53F8FA97.2020607@cs.tcd.ie> <BLU181-W664365D566637BE6D0E67493D10@phx.gbl> <53F9F268.1030407@si6networks.com>
In-Reply-To: <53F9F268.1030407@si6networks.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="EPkIlonWVHDngsXJE2oQIHaRFD7PVAqu9"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (nagasaki.bogus.com [147.28.0.81]); Sun, 24 Aug 2014 20:42:20 +0000 (UTC)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/X0wPKEa-Z-soIxFo89JjW6m925w
Cc: "saag@ietf.org" <saag@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Aug 2014 20:42:26 -0000

On 8/24/14 7:10 AM, Fernando Gont wrote:
> On 08/23/2014 06:05 PM, Bernard Aboba wrote:
>>
>>> However, say we're wrong and someone who thinks OS is a waste
>>> of time is actually correct, what would such a person recommend
>>> that we do as well as, or instead of, OS?
>>
>> [BA] It depends on who we are trying to protect, and from what (or whom).  
>>
>> If the target is protection of dissidents from oppressive regimes, then
>> you need something much more comprehensive than 'unauthenticated
>> opportunistic encryption" (e.g. along the lines of Tor). 
> 
> It is quite often the case that, under oppressive regimes, using
> encryption technology will already flag you as "suspect" (if not
> "guilty"). So in that case, you'd probably want to use something
> probably want something more like a cover channel in those scenarios.

it's already implausible in many cases  to seperate the sheep from the
goats.

When was the last time you did a google search or accessed a twitter
feed in the clear?

> Cheers,
>