IETF Logo Mail Archive

Re: [saag] Ubiquitous Encryption: content filtering

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 23 June 2015 08:59 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883741A92B3 for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 01:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e0cfn7iVznRn for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 01:59:05 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 589581A92B8 for <saag@ietf.org>; Tue, 23 Jun 2015 01:59:05 -0700 (PDT)
Received: by wicgi11 with SMTP id gi11so9766485wic.0 for <saag@ietf.org>; Tue, 23 Jun 2015 01:59:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Bk6g1hOODlVS6DYZ77XI7rUEKE5cBynwNq7ALvIfdnA=; b=prd/JSMDoHQbEmj1TpQTVhVxEzxzGtu0TV0wggcnUVSiZiWNvVoK50K2oGRQtdFRzH MYhdsPxCWQln5ljpn1JoEsmLPEmRzEc/+W4TqfTMm9zjgxdzGgcMIiyggIIkCFqsJdAI sqOCy4R0hVQPTj/uYkw0V5qrXrn85eka/6/uQFeLFzEht4NKJA4WVsuwBcOmJwKpvVQo dxLbshhez1BaiG0sknHK9aZk3JiM0qHa0fgyjKaXU9K+UlrjuKrzSZKEOJEivQA2nQBQ c2Nz1AyhoNOh4q2HdZbitAx67mc78+bgRTmZ2kuymVnHPkVdcFyXuHJ3T+o2mrGaba7V tSWg==
MIME-Version: 1.0
X-Received: by 10.180.106.73 with SMTP id gs9mr1404267wib.1.1435049944046; Tue, 23 Jun 2015 01:59:04 -0700 (PDT)
Received: by 10.28.188.134 with HTTP; Tue, 23 Jun 2015 01:59:03 -0700 (PDT)
In-Reply-To: <DE85F7A6-A8F6-48FA-8AAA-EF8ECE17B73E@gsma.com>
References: <99DC814A-2B7D-4802-A1C7-399E77F37BD7@gsma.com> <CABtrr-U9kLfq4GQbWSgPN=wCD=Cdi0uQ+bQqXj35j+PFtuE8Pg@mail.gmail.com> <A4BAAB326B17CE40B45830B745F70F108E070156@VOEXM17W.internal.vodafone.com> <55844743.4030300@cs.tcd.ie> <55886F38.4030906@bbn.com> <20150622211207.GM6117@localhost> <DM2PR0301MB06554ECDB1166C32CF70366CA8A10@DM2PR0301MB0655.namprd03.prod.outlook.com> <CA+cU71ksYZpzg_7jX1xz3aqg-ZVMC-22hCevATrgmHj3h5bVrA@mail.gmail.com> <DE85F7A6-A8F6-48FA-8AAA-EF8ECE17B73E@gsma.com>
Date: Tue, 23 Jun 2015 04:59:03 -0400
Message-ID: <CAHbuEH4Rp4DQCRJiED3vKRco8+boLzpZqnp5OZPhhsLuxP7G9g@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Natasha Rooney <nrooney@gsma.com>
Content-Type: multipart/alternative; boundary="f46d04428fce265f7205192b9a6e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/R46xF5NDkwk69tx6OWi-CSQGj80>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Ubiquitous Encryption: content filtering
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 08:59:07 -0000

Thanks for the discussion on this, it's helpful to get this right for
documentation purposes.  I'd split out MiTM activities of this sort for
enterprises vs. the same done at the service provider level because of
employee agreements.  I also choose not to go to many sites from behind a
firewall and hope others do too when signaled that there is a certificate
mismatch.

On Tue, Jun 23, 2015 at 4:47 AM, Natasha Rooney <nrooney@gsma.com> wrote:

>  Thanks guys for this - and sorry for the on-list tech check: but, isn’t
> SNI configured by the content server. So, if I have run https://evil.com,
> can’t I just, not use SNI?
>
> Natasha
>
>
> Natasha Rooney | Web Technologist | GSMA | nrooney@gsma.com | +44
> (0) 7730 219 765 | @thisNatasha | Skype: nrooney@gsm.org
> Tokyo, Japan
>
>
>  On Jun 23, 2015, at 6:44 AM, Tom Ritter <tom@ritter.vg> wrote:
>
> On 22 June 2015 at 16:24, Christian Huitema <huitema@microsoft.com> wrote:
>
> If the site used a shared address, then the TLS packets contain a clear
> text SNI, and firewall magic could drop these connections.
>
> I am not very happy about the clear text SNI, but it does not seem to be
> going away any time soon.
>
>
> Many of us aren't, as it's been used at the nation level for
> censorship. We're working on TLS 1.3, and our hope now is that it will
> have the capability to do encrypted SNI through the use of pre-shared
> keys provided over (e.g.) DNS or a prior connection.
>
> DNS leaks it also, but it's already possible to configure a local
> unbound instance to talk to a remote resolver over TLS; so that
> protocol a way forward for DNS Privacy (which is also being worked on)
> that already has some running code.
>
> -tom
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>
>
> This email and its attachments are intended for the above named only and
> may be confidential. If they have come to you in error you must take no
> action based on them, nor must you copy or show them to anyone; please
> reply to this email or call +44 207 356 0600 and highlight the error.
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email