Re: [TLS] Breaking into TLS to protect customers

Kathleen Moriarty <> Thu, 15 March 2018 17:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 45C9212DA14 for <>; Thu, 15 Mar 2018 10:43:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B7ZMCNxNoqK1 for <>; Thu, 15 Mar 2018 10:43:01 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B9C2012DA09 for <>; Thu, 15 Mar 2018 10:43:01 -0700 (PDT)
Received: by with SMTP id u5-v6so10207193itc.1 for <>; Thu, 15 Mar 2018 10:43:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7Z2Vj/UVjSwG/WAso5GRvN7gs41wDOek3Cr/csWx1EI=; b=bL3e0vyFkxYbDbKIY/DiIPTeDy0JUztxR3QTm4Q16r1/USlXAM5CkBEIyudNLATwnJ ciburutcifIzyEMeHNFU8DOCMHhd6FluZA+rf2lSC+zFMc5OGMT89n4K9CvIHcKprHDC 9I2vxXE36jdlsiMBa6mCRZvgOBZVZLP090t2gpZyOuWhn/oKqiBXaOIzUmRAh0EBHutO yPylTGWi7anJ+Lj2i4iXFWD6uV841SZbu8mX5Rt/MyDEMy3dPt0IB9mpEjcYVogDngrE lJfRxyEXkxghJ3Hic06AINoEegtswPelzmLUz+0WyHmh8Kzj7RL0SDCNI7/lN2L3aFcU Gy3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7Z2Vj/UVjSwG/WAso5GRvN7gs41wDOek3Cr/csWx1EI=; b=Oz7vRLHxKrxjV6DXD0Ni2MFa+S3jnaVEqc1MKHG1aM/68CgaSNtfj4vckpYjT9j6DN zFPDBSvsJQwR2P5VBB+wpX6J+7UfI1T2jpen+EfJz2dbXPXBLnsmupJ3aKSyhQYVUsmP RaZ0Hrgdx7tjU4cpXnW0uLaUYzm+CuDmrO+cV1vj1yQVmg3x4wIuPe6K+JV3khYkNpWl QFPn1XnodZyiTQ0TXh5ZVamLGlM18+KQ3T0V1DA08aRIuBFVdAxv/OwGp64Z2yX75ZD6 1YYY9W+uCKNqqpEZ/8rQ4GceGmnHpRgWtvHdmlHiqUc22ejNl1myGNmXTPSYnaahtc3T afvQ==
X-Gm-Message-State: AElRT7HJuu0dLfAhjg8Nh12sjGPZrT40nQGTECRxYpN2Wu480cp63vOr h/aCwtc1Zj6N55MubVIdcYZ8Hzl9iesj7nLA2nE=
X-Google-Smtp-Source: AG47ELuYOtiMnoxh8Bvd0FcZZUbrjE5hzBD0cH3SAJ6VDCV/MTVwo+8+axB4mDK0CVEqGiRqHruJf+XyGHXCMuPER10=
X-Received: by 2002:a24:3c8a:: with SMTP id m132-v6mr7462638ita.132.1521135781068; Thu, 15 Mar 2018 10:43:01 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 15 Mar 2018 10:42:20 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
From: Kathleen Moriarty <>
Date: Thu, 15 Mar 2018 13:42:20 -0400
Message-ID: <>
To: Carl Mehner <>
Cc: Ion Larranaga Azcue <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [TLS] Breaking into TLS to protect customers
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Mar 2018 17:43:03 -0000

On Thu, Mar 15, 2018 at 12:58 PM, Carl Mehner <> wrote:
> On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty
> <> wrote:
>> I think what Yoav is referring to by detecting BOTS within the
>> network, is really so called advance persistent threat (APT) actors
>> that are moving around the internal network leveraging existing access
>> rights of compromised accounts and privilege escalation
>> vulnerabilities.  These might be detectable with 'visibility'.
>> Patterns and behavior might be used to detect the APT use case whether
>> or not encryption protects the stream, but it is more difficult.
> Yes, they might, however, the best place for malware detection is on the
> edge (which is out of scope for "in the Datacenter" type connections) and
> the endpoint, where an agent is able to run that does not need to 'break in'
> to the TLS session. Yes, the Fenter draft talks about how malware endpoints
> can be anywhere in the network, and that they can delete logs as a reason to
> require out of band network decryption. However, if "breaking TLS" becomes
> an effective malware mitigation means, more malware makers may move to using
> app-level encryption (as some already have). Therefore, the conclusion we
> can draw is that malware is not a reasonable reason requiring this enhanced
> "visibility".

The example I provided is not about malware, it was about lateral
movement by threat actors within a network.  The initial compromise
that led to access within the network may have been through malware or
some other vulnerability, but I do think monitoring on an internal
network (encrypted or not, through logs or on the wire) is the use
case for attack detection that is plausible with the proposed

Best regards,

> -carl


Best regards,