Re: [Patient] [saag] Internet Draft posted as requested -
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 16 December 2017 15:27 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4540C1250B8; Sat, 16 Dec 2017 07:27:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iwd5XGNeko0t; Sat, 16 Dec 2017 07:27:36 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 386E0120721; Sat, 16 Dec 2017 07:27:35 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 03AECBE2E; Sat, 16 Dec 2017 15:27:34 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eTIB9cBRUonF; Sat, 16 Dec 2017 15:27:32 +0000 (GMT)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C59BBBE24; Sat, 16 Dec 2017 15:27:31 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1513438052; bh=RZvbobyTiOWIl2idTvxIGHW9lRH1ggyTSdFI218jArM=; h=Subject:To:References:From:Date:In-Reply-To:From; b=oT3Dwz+2DCTolj8XJ2b3ZzQ8iRuQwMu7OsO56zaSWAjBgirdxGtRPvtY9w4iFOJLC z1Ws99UajaKjLKf+YiyoNZ5mB+tMu0AkGSXr6bf2yyDxrBYWHULTA130jK/5Pf/utU Yrroi+0NuZDPR1fOkjtodechcoCG+ImwWyAEm7qI=
To: Brian Witten <brian_witten@symantec.com>, "patient@ietf.org" <patient@ietf.org>, "saag@ietf.org" <saag@ietf.org>
References: <MWHPR16MB14881688FE400E3277CA8A9393310@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB14889BEE3EB0ED5F328D7C3993370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB14889B7535153E5844649CA393370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB14880A12D15AC58FDD5CEC8793370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488D43F3B53BC7BBE9D836593370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488853B0E4F7BB8E557288D93370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB148845FB069D03625BC399B193370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488848D7AC828EBB8DA90B093350@MWHPR16MB1488.namprd16.prod.outlook.com> <DM5PR16MB148477E1FAA4C210A3B013F7930A0@DM5PR16MB1484.namprd16.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <dfdb52ca-81ae-50b7-cd5f-e256b5cb047d@cs.tcd.ie>
Date: Sat, 16 Dec 2017 15:27:31 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <DM5PR16MB148477E1FAA4C210A3B013F7930A0@DM5PR16MB1484.namprd16.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="dIcS9xb3qu5wDUlc6brBADEMUFNvdkWvC"
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/-TowEhlQEGroIAMnmTZfSjRyw1w>
Subject: Re: [Patient] [saag] Internet Draft posted as requested -
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Dec 2017 15:27:39 -0000
On 14/12/17 22:58, Brian Witten wrote: > The logic, in the short form of roughly five points would be: Let's see if there is or is not logic to be found... > ** (1) > ** Endpoints have vulnerabilities. ( unfortunately lots of them. > For this part I believe there is overwhelming evidence, but please > LMK if you disagree. ) That's incomplete to the point of being misleading. Middleboxes are as likely to have bugs. And if those are mitm'ing many https connections the impact of a problem is higher than for the client side. Probably also higher impact for most instances of servers too. And the mitms are certainly in a position to mitm connections to high-value servers (if they can do one they can do all) so all mitm code bugs could argued to be worse than endpoint bugs. > ** (2) ** These vulnerabilities are often > difficult (sometimes nearly impossible) for device owners, users, > etc, to mitigate “in” these endpoints. ( this is true today for > countless devices, and increasingly true for increasingly closed > devices, particularly in IOT and mobile. ) Where's the evidence for that? What percentage is "often"? (Speaking about "countless" devices, is pure rhetorical noise and not useful if you are honestly trying to provide verifiable evidence.) Why would middleboxes be easier to patch? It seems from many anecdotes (I'd love to see real numbers), that at least browsers and web servers these days are managed much better in terms of updates. > ** (3) ** For that reason, > those endpoint owners/users/etc often need to put some “thing” in the > network to mitigate those endpoint vulnerabilities. ** That's simply false. Even if I accepted your stated and flawed premises, the above still doesn't follow at all. Just to call out your flawed logic in one way: buggy difficult to fix clients *could* be fixed or replaced over time, so your claim that a mitm middlebox is *needed* is obviously false. > (4) ** For > that to be effective (against attacks in encrypted traffic), that > “thing” needs keys to inspect the encrypted traffic. ( This can be > done any of many ways, as it’s done today. ) Also clearly incorrect. See [1] (recently quoted by Martin T on some other list) for a proof that your claim that this is *needed* is also just false. [1] https://arxiv.org/abs/1607.01639 > ** (5) ** Where that’s > done today, it can be done much more safely, therefore we should spec > standards for how to do it more safely. ( Lots of ideas have been > published in research, and I include some details on that further > below, but maturing the right ones and baking them into a standard is > of course typically a “bigger group” effort. ) Afaics all of those approaches are inherently flawed and consider it someone reasonable that a human can decide when to trust a random name/address that claims to be "good." None (i.e. zero) of the approaches proposed would improve the overall environment and therefore none (i.e. zero) of those ought be standardised. So overall it seems flawed premises, incorrect logic, and your -00's lack of relevant data leave us right back where we started having to deal with risible claims such as this: > Re, "inserted without any form of knowledge or authorization by > the endpoint," in fact, PATIENT aims to establish a protocol whereby > end-users get visibility into ALL of the "things" (middleboxes) > monitoring the communications. Just for a laugh, I loaded [2] in a default setup browser (chromium). Among the 269 http requests that caused was [3]. Are you (Brian) seriously trying to claim that you actually believe that a random person can sensibly decide 269 times if 2001:db8::bad:1dea ought be allowed to mitm that connection? That is not something I find a credible assertion, so I'm left with the belief that the quoted text above aims to be a snow-job of some kind. And while a snow-job may be seasonal for the next few weeks, it is not a basis on which the IETF ought do anything except brush the snow-job aside. S [2] https://www.symantec.com/ [3] https://fei.pro-market.net/engine?du=24;csync=8A149905A638355A509A770D02460917;mimetype=img;sr
- [Patient] Internet Draft posted as requested - Brian Witten
- Re: [Patient] [EXT] Internet Draft posted as requ… Mingliang Pei
- Re: [Patient] Internet Draft posted as requested - Bret Jordan
- Re: [Patient] Internet Draft posted as requested … Paul Wouters
- Re: [Patient] [saag] Internet Draft posted as req… Peter Gutmann
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] Internet Draft posted as requested - Brian Witten
- Re: [Patient] Internet Draft posted as requested - Paul Wouters
- Re: [Patient] [EXT] Re: Internet Draft posted as … Brian Witten
- Re: [Patient] Internet Draft posted as requested - Black, David
- Re: [Patient] [EXT] RE: Internet Draft posted as … Brian Witten
- Re: [Patient] Internet Draft posted as requested - Bret Jordan
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [saag] Internet Draft posted as req… Diego R. Lopez
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [saag] Internet Draft posted as req… Black, David
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Brian Witten
- Re: [Patient] [saag] Internet Draft posted as req… Paul Wouters
- Re: [Patient] [saag] Internet Draft posted as req… Melinda Shore
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Brian Witten
- Re: [Patient] [saag] Internet Draft posted as req… Diego R. Lopez
- Re: [Patient] [saag] Internet Draft posted as req… Bret Jordan
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Mark Kennedy
- Re: [Patient] [saag] Internet Draft posted as req… Melinda Shore
- Re: [Patient] [saag] Internet Draft posted as req… Roland Zink
- Re: [Patient] Internet Draft posted as requested - Roland Zink
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Tero Kivinen
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Black, David
- Re: [Patient] [saag] Internet Draft posted as req… Bret Jordan
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Tero Kivinen
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Stephen Farrell
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Peter Gutmann
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Michael Richardson
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Michael Richardson
- [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] the IETF participant choice Ted Lemon
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] the IETF participant choice Ted Lemon
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Brian Witten
- Re: [Patient] the IETF participant choice Benjamin Kaduk
- Re: [Patient] the IETF participant choice Eggert, Lars
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Brian Witten
- Re: [Patient] the IETF participant choice Kathleen Moriarty