Re: [perpass] Fwd: Re: perens-perpass-appropriate-response-01

[Phillip Hallam-Baker <hallam@gmail.com>]

This is actually my reason for opposing making http a mandatory

I am fine with the idea of requiring strong TLS

I am fine with the idea of a new mechanism for weakly authenticated http.


But do not weaken TLS so that it can be used as a proxy bypass
strategy without strong crypto

Do it right or write your own. Do not damage the only security
protocol we have so some folk can shave a few msec off latency


Sent from my difference engine


> On Dec 8, 2013, at 10:55 AM, Nicholas Weaver <nweaver@icsi.berkeley.edu> wrote:
>
>
>> On Dec 7, 2013, at 4:09 PM, Bruce Perens <bruce@perens.com> wrote:
>> Well, we do have some HTTP uses where encryption that hides the content won't be allowed, and thus authentication is important.
>>
>> We can't have encryption when we use HTTP over Amateur Radio in the US and many other countries. There is self-policing on ham frequencies that requires that people be able to copy other people's transmissions, and encryption defeats that. Obviously we don't put confidential data on those frequencies, that belongs on your cell phone. So, an authentication-only WiFi protocol is needed for Amateur Radio, and possibly an authentication-only version of TLS.
>
> NO!!!!
>
> The reason is downgrade attacks.  A huge problem with the IPSec standard is that NULL encryption was allowed in there, and also known weak modes (single DES, 720b D/H etc).  Its one of the primary reasons why John Gilmore and therefore others feel the IPSec process was sabotaged by the NSA.
>
> To explicitly support downgraded, athuentication w/o encryption is STUPID!  it is DANGEROUS!
>
>
>
> About the only thing that is not a horrid idea is to have the key exchange generate a separate MAC and encryption key, using an encrypt then MAC structure.   Yet that loses out on the benefit of authenticated encryption modes that build the MAC into the communication.
>
> So face it Bruce, your only option should be to have the client leak the session keys keys, and thereby explicitly say "NO SECURITY ON THIS CONNECTION, HAVE A NICE DAY".
>
> And yes, this means the French can pwn you.  Sorry, use a network that allows encryption.  Or have your session key leaker in UDP, and only 2-3 hops on the TTL, so only locals can pwn you.  [1]
>
> Anything more built into the protocol to support unencrypted communication represents a sabotage attempt on the rest of the Internet.
>
>
> [1] I'm just waiting for the Botnet that uses open-WiFi to pwn the fellow computers in the local starbucks.  Its an old idea, but a good one...
>
> --
> Nicholas Weaver                  it is a tale, told by an idiot,
> nweaver@icsi.berkeley.edu                full of sound and fury,
> 510-666-2903                                 .signifying nothing
> PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
>
>
> _______________________________________________
> perpass mailing list
> perpass@ietf.org
> https://www.ietf.org/mailman/listinfo/perpass