Re: [Patient] DOJ first on encryption services

"Diego R. Lopez" <diego.r.lopez@telefonica.com> Sun, 18 March 2018 12:51 UTC

Return-Path: <diego.r.lopez@telefonica.com>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C49E127871 for <patient@ietfa.amsl.com>; Sun, 18 Mar 2018 05:51:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.91
X-Spam-Level:
X-Spam-Status: No, score=-2.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAODqfiEyZ07 for <patient@ietfa.amsl.com>; Sun, 18 Mar 2018 05:51:06 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00128.outbound.protection.outlook.com [40.107.0.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79F99127873 for <patient@ietf.org>; Sun, 18 Mar 2018 05:51:05 -0700 (PDT)
Received: from HE1PR0602MB2921.eurprd06.prod.outlook.com (10.175.33.12) by HE1PR0602MB2922.eurprd06.prod.outlook.com (10.175.33.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Sun, 18 Mar 2018 12:51:02 +0000
Received: from HE1PR0602MB2921.eurprd06.prod.outlook.com ([fe80::408a:72bd:afe7:9602]) by HE1PR0602MB2921.eurprd06.prod.outlook.com ([fe80::408a:72bd:afe7:9602%18]) with mapi id 15.20.0588.016; Sun, 18 Mar 2018 12:51:02 +0000
From: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
To: Eric Rescorla <ekr@rtfm.com>, "tony@yaanatech.co.uk" <tony@yaanatech.co.uk>
CC: Brian Witten <brian_witten@symantec.com>, "patient@ietf.org" <patient@ietf.org>
Thread-Topic: [Patient] DOJ first on encryption services
Thread-Index: AQHTvqsXdv2n4kUMCEyijUVKj9YP9aPV2jyAgAASOwCAAARGAIAAAXQA
Date: Sun, 18 Mar 2018 12:51:02 +0000
Message-ID: <62E37C99-A74D-407C-99A3-00AA253BC218@telefonica.com>
References: <02be9028-a8fd-f527-826b-5361de1470ce@yaanatech.co.uk> <F8164D9E-92C2-4440-BD06-6D81852918B8@telefonica.com> <9d71af7a-cdf2-7590-6e12-e3207e2c4736@yaanatech.co.uk> <CABcZeBOyyr44-ED9MMhHtzPuTq-Xt_iYeJKs6vbOUN=Stjc==g@mail.gmail.com>
In-Reply-To: <CABcZeBOyyr44-ED9MMhHtzPuTq-Xt_iYeJKs6vbOUN=Stjc==g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.b.0.180311
authentication-results: spf=none (sender IP is ) smtp.mailfrom=diego.r.lopez@telefonica.com;
x-originating-ip: [2001:67c:1232:144:ec9b:d45e:1f59:b8dc]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR0602MB2922; 7:pyP77LR9ii51PZ0DUit48ulHxvQC/MQZJz8wZe9jXrEuNXpi2tKoHyRNIcw0FT46RgFbRl6XExPe2fg+Z+6NZigdi5CDmQv6MGd2r6/9erxNHj4f0KeiNtUZEXcGfFu2c0t4UvtLf2WE5h/bsYdszwcszr4ghuLBWz3a0oQ58bveruUebR1SZ3kspbiJtpLTpcSepQWKIQT5AvMhdEUjCECWmL4D6LDZI0r5KYm5ctnxar82o8ZJtMrnNVawhwJn
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: be1a4900-258b-43b7-8972-08d58ccee7c0
x-microsoft-antispam: UriScan:(40392960112811); BCL:0; PCL:0; RULEID:(7020095)(4652020)(8989060)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(8990040)(2017052603328)(7153060)(7193020); SRVR:HE1PR0602MB2922;
x-ms-traffictypediagnostic: HE1PR0602MB2922:
x-microsoft-antispam-prvs: <HE1PR0602MB29225979B2FD6D56ACE40788DFD50@HE1PR0602MB2922.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(40392960112811)(158342451672863)(128460861657000)(21748063052155)(81160342030619);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(3231221)(944501244)(52105095)(6055026)(6041310)(20161123562045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:HE1PR0602MB2922; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0602MB2922;
x-forefront-prvs: 06157D541C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39380400002)(366004)(39860400002)(346002)(396003)(199004)(189003)(40134004)(252514010)(25724002)(6486002)(102836004)(54896002)(229853002)(76176011)(6512007)(6306002)(786003)(54906003)(99286004)(81166006)(8936002)(81156014)(25786009)(8676002)(4326008)(6436002)(186003)(93886005)(97736004)(59450400001)(110136005)(2900100001)(53936002)(6506007)(14454004)(53546011)(86362001)(236005)(606006)(58126008)(316002)(46003)(83716003)(106356001)(36756003)(3280700002)(2906002)(5660300001)(3660700001)(68736007)(966005)(7736002)(82746002)(6116002)(33656002)(2950100002)(45080400002)(6246003)(5250100002)(105586002)(2501003)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR0602MB2922; H:HE1PR0602MB2921.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: LeRCqmjFqr9gXTLDlkikWPc7oDx2Q8lcTEc6ezf6G9IKEjNPW6l57YBqwTtCBs7db8L18yB1WpE9lJRSUemaouzqqdLUHgJOfsP75Wf6Ni+AFPw6BgB6F1AmH0dI+AE4PZ1FBRfKzLPOKliWa+7rmH178N9VdiPeVYdyVvBSHRt+oDlFlvnAgl3Fq5QF5IfsNtxsIg5QPdv5/MJyqFvqD8gpQhfmuCkFH+hoGh06U0+CN8NFHdhhy2fa4DwgQchGjK8USVg4rcZn8T86lQtPPn1o2hIywsZwL7jHeuMhpOnkSbggvRi5PUDxk95a+o3c9IIQhu6xxmA+9Ib91DrIoQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_62E37C99A74D407C99A300AA253BC218telefonicacom_"
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-Network-Message-Id: be1a4900-258b-43b7-8972-08d58ccee7c0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2018 12:51:02.1006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0602MB2922
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/nMFHZzmP820Mxu_5Wrs5sOzA7DU>
Subject: Re: [Patient] DOJ first on encryption services
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 12:51:09 -0000

Hmmm… The SNI would be a much weaker evidence than the server certificate, wouldn’t it?

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
https://www.linkedin.com/in/dr2lopez/

e-mail: diego.r.lopez@telefonica.com<mailto:diego.r.lopez@telefonica.com>
Tel:         +34 913 129 041
Mobile:  +34 682 051 091
----------------------------------
On 18/03/2018, 12:46, "Eric Rescorla" <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:

On Sun, Mar 18, 2018 at 12:30 PM, Tony Rutkowski <tony@yaanatech.co.uk<mailto:tony@yaanatech.co.uk>> wrote:
Hi Diego,

It is also worth referencing a relatively recent Lawfare article on the scaling litigation in the U.S. against those supporting e2e encryption services or capabilities.
https://www.lawfareblog.com/did-congress-immunize-twitter-against-lawsuits-supporting-isis

This litigation trend is also likely to increase the insurance costs of providers.  Indeed, a provider that supports TLS1.3, QUIC, SNI, etc, may not even be able to get insurance.  It may be fun and games to play crypto rebel in venues like the IETF where the risk exposure is minimal, but when it comes to real world consequences and costs, the equations for providers are rather different.

I think this rather overestimates the degree to which both TLS 1.3 and QUIC change the equation about what a provider is able to determine from traffic inspection. As a practical matter, the primary change from TLS 1.2 is that the provider does not get to see the server's certificate, but it does see the SNI. Given that the SNI contains the identity of the server that the client is connected to and that the other identities in the certificate are often whatever the provider decided to co-locate on the same machine, I'm not sure how much information you are really losing.

-Ekr



--tony


_______________________________________________
PATIENT mailing list
PATIENT@ietf.org<mailto:PATIENT@ietf.org>
https://www.ietf.org/mailman/listinfo/patient


________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição