RE: [saag] Is opportunistic unauthenticated encryption a waste of time?

Bernard Aboba <> Sat, 23 August 2014 02:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CF3B91A702D; Fri, 22 Aug 2014 19:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.668
X-Spam-Status: No, score=-0.668 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Txr3BROb5J6w; Fri, 22 Aug 2014 19:13:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 07FA11A7026; Fri, 22 Aug 2014 19:13:55 -0700 (PDT)
Received: from BLU181-W84 ([]) by with Microsoft SMTPSVC(7.5.7601.22712); Fri, 22 Aug 2014 19:13:55 -0700
X-TMN: [SIea+3UaYSSLPoFoZAl+PC8nytlxN4uO]
X-Originating-Email: []
Message-ID: <BLU181-W84354FE6BEF12305A2A7DB93D10@phx.gbl>
Content-Type: multipart/alternative; boundary="_17a9aeeb-4068-4189-9be6-f13591c80e37_"
From: Bernard Aboba <>
To: "" <>, "" <>
Subject: RE: [saag] Is opportunistic unauthenticated encryption a waste of time?
Date: Fri, 22 Aug 2014 19:13:54 -0700
Importance: Normal
In-Reply-To: <>
References: <>, <>, <> <>, <>, <>, <>, <>, <>, <>, <>
MIME-Version: 1.0
X-OriginalArrivalTime: 23 Aug 2014 02:13:55.0306 (UTC) FILETIME=[E406A4A0:01CFBE77]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 23 Aug 2014 02:13:58 -0000

> It used to be easy to dismiss opportunistic security as a waste of time, it is now clear to most that it is ....

[BA] Merely a waste of money. 
"Opportunistic unauthenticated encryption" that does not defend against man-in-the-middle attacks has no value against targeted surveillance.  So if the goal is to protect dissidents, look elsewhere.  Unfortunately, the line between "targeted surveillance" and  "mass surveillance" is a thin one.   
The value against mass surveillance is predicated on the assumption that "large scale targeted surveillance" is infeasible or that the cost of large scale meta-data collection can be increased to the point where it is too costly even for a nation-state.   
The first assertion, is likely to be proven false by the first gear to include built-in man-in-the-middle attack support.  Care to wager which appears first, carrier-class gear supporting man-in-the-middle attacks, or significant deployment of "opportunistic" encryption?  
The second assertion is likely to be proven false as soon as "opportunistic" is deployed widely enough to necessitate a surveillance budget increase (based on purchases of the above gear) necessary to defeat it.