Re: [OPSEC] Request comments and discussion for draft-camwinget-tls-ns-impact

Warren Kumari <> Wed, 04 March 2020 15:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0B1523A1184 for <>; Wed, 4 Mar 2020 07:35:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zamJsNf7P85q for <>; Wed, 4 Mar 2020 07:35:28 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EB1573A1189 for <>; Wed, 4 Mar 2020 07:35:26 -0800 (PST)
Received: by with SMTP id o18so965871qvf.1 for <>; Wed, 04 Mar 2020 07:35:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KEWGZPTylDX71qnC+g1QMNPfv+Jn18LrBb7cCKwakS4=; b=UKLheEMESNlqsBpwlyv7gDm5g7k47FRybjTxPnnXwU+saVQD0TJy+FoT9cEldZhnQa bL+zR7/FVYeeqWUFJUv1jgoNvIBRteYITTEC9SRfBTH2ZVuiCpTBIjomsJIli/N8HfVX 5p+/rgQ/6G/pc4qisGhe9/gV3NccgvHOEOVzrrmq+zxSdZ6q/UGqAWC48OpXBYtaa2tW 1fDetKRdvzL3qRGUyGdLOPSxjWv/tUd1FT+o012yDVLIO+3N3BuFp6zKpuuFltaKpalO N5XMlttmpJt7EUqywX7yG/xtMAnWckmtWuohAVSJi08nesuHfuYiaoe8dNe9gUhxSgX/ ELsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KEWGZPTylDX71qnC+g1QMNPfv+Jn18LrBb7cCKwakS4=; b=qL4eNwKhVyNePmKtZpe+jtxHAM96bLHjJFErRuPL1oPJeJjkDElLI+i7bTxHI4rWMU 1GcQ2T9peUhpTOpbuf0nOD2RE90siF6Hhvi4x7aLIwVtjS/5JCgTCi+Q0mDdV5wHXCkH QAbEthvvG6wOEJPsOEw2977R5iXndotxtkxO7BFjg5BJUmx1D0En1MxizmbqYY853sbl kC+y8II/4XWYuqwuWz1mHEYNC03PvxziAv1mUYNxMIZ8LtP0z28XBlxXuxyGCE6DhzI5 v7pU9vpIQ3LKvZbgOYvx0RHpXAd1y62yKum8aZ1jkGsjN8/CBnZxKZnQHLPIt6SKYk5R fKqg==
X-Gm-Message-State: ANhLgQ0GQV0vcQ+p5XFZJEWAHBz65BoCTHBfpdWp/ICREypJgfrRfRjq o7X8dLO7r6o8qRy/0XIoq43w3RCpYMzhkxkDl5Z6gw==
X-Google-Smtp-Source: =?utf-8?q?ADFU+vuLogtZanp06PYGFtVzUYIETXTIwdulZxKxNHaB?= =?utf-8?q?7Ck86RQHIyohUyqIPAdacc43JfoL71RIKq9NA72AS9pXGY0=3D?=
X-Received: by 2002:ad4:59d1:: with SMTP id el17mr2564047qvb.29.1583336120265; Wed, 04 Mar 2020 07:35:20 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Warren Kumari <>
Date: Wed, 4 Mar 2020 10:34:43 -0500
Message-ID: <>
To: "Nancy Cam-Winget (ncamwing)" <>
Cc: "" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [OPSEC] Request comments and discussion for draft-camwinget-tls-ns-impact
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Mar 2020 15:35:32 -0000

On Tue, Mar 3, 2020 at 9:18 PM Nancy Cam-Winget (ncamwing)
<> wrote:
> Hello OPSEC participants,
> Given the trends to improve on security and privacy, we thought it important to also
> document how network security solutions are used and how they interact with TLS.
> We have submitted
> and believe it is appropriate to discuss in this working group.

Thank you for this document -- I found it to be nicely readable and
understandable -- other than one major questions / point.

I'm sure I'm going to mess up the terminology horribly here -
apologies in advance...

Section 3:
" To achieve this, a TLS Proxy must be able to present a valid X.509
   certificate to the TLS client to appear as a valid TLS Server;
   similarly, the client must be able to validate the X.509 certificate
   using the appropriate trust anchor for that TLS connection."

I'm seen at least 2 deployment types for this sort of inspection - the
first is where a client is informed that there is a proxy server that
they need to send their traffic through -- i.e the system or browser
is configured with a proxy server (OS X called this "Secure Web
Proxy"), and is configured with something like

The second is a security appliance which does MiTM type stuff, and the
client installs a corporate CA certificate.
These are two very very different deployment scenarios, and the
"valid" part in "valid X.509 certificate" have very different
meanings[0]. I think that it would be useful to clearly outline these
two methods of watching "encrypted" user traffic, and clarify which
one(s) you are talking about.
The sentence: "This TLS Proxy is a transparent hop on the packet path;
and where necessary, preserves the client's and server's original IP
address and the intended source and destination TCP ports." implies
only the second, but I think it would be useful to be much clearer in
the introduction...

[0]: Yup, technically they are both valid, but (at least in my
opinion) the second is much less so :-P

> Warm regards,  Nancy (and my co-authors)
> _______________________________________________
> OPSEC mailing list

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.