Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)

mrex@sap.com (Martin Rex) Wed, 28 March 2018 23:17 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EA911271FD for <tls@ietfa.amsl.com>; Wed, 28 Mar 2018 16:17:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.521
X-Spam-Level:
X-Spam-Status: No, score=-5.521 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0lGazIhRIQh for <tls@ietfa.amsl.com>; Wed, 28 Mar 2018 16:17:20 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB84312895E for <tls@ietf.org>; Wed, 28 Mar 2018 16:17:16 -0700 (PDT)
Received: from mail08.wdf.sap.corp (mail01.sap.corp [194.39.131.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 40BP0p3zFdzyY6; Thu, 29 Mar 2018 01:17:14 +0200 (CEST)
X-purgate-ID: 152705::1522279034-00000856-EF78B344/0/0
X-purgate-size: 947
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail08.wdf.sap.corp (Postfix) with ESMTP id 40BP0n45fdz2y6c; Thu, 29 Mar 2018 01:17:13 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 6B3D9409B; Thu, 29 Mar 2018 01:17:13 +0200 (CEST)
In-Reply-To: <03EC7170-1559-4D1B-ABB0-552DC5C2A3B0@gmail.com>
References: <1521920255951.94271@s21sec.com> <03EC7170-1559-4D1B-ABB0-552DC5C2A3B0@gmail.com>
To: Steve Fenter <steven.fenter58@gmail.com>
Date: Thu, 29 Mar 2018 01:17:13 +0200 (CEST)
CC: Ion Larranaga Azcue <ilarra@s21sec.com>, "tls@ietf.org" <tls@ietf.org>
Reply-To: mrex@sap.com
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20180328231713.6B3D9409B@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5JAwHq5SNeS4Vq1nD1PgcBiXfjg>
Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 23:17:22 -0000

Steve Fenter <steven.fenter58@gmail.com>; wrote:
>
> To clarify for anyone who has confusion on the enterprise TLS visibility
> use case, I think enterprises need to be able to do out-of-band decryption
> anywhere in the network that they own.

This is argument is so lame.

In Germany, monitoring communications between individuals or between
individuals and legal entities, including communications over corporate
networks, was made a serious crime in 2004 (TKG 2004) with a penalty of
up to 5 years in prison for listening into such communication.

The world didn't end.  Really, consider it proven that there is no need.

There may be _desires_.  For me, those desires are no less unethical
as data collections by apple, camebridge analytica, facebook, google,
microsoft, whathaveyou...

... and fortunately, for corporations in germany, such data gathering 
is not just unethical, but truely criminal by law.


-Martin