IETF Logo Mail Archive

Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)

Simon Friedberger <simon.tls@a-oben.org> Mon, 17 July 2017 16:40 UTC

Return-Path: <simon.tls@a-oben.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CDFA131CA3 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 09:40:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I8tD0ei3cuEF for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 09:40:43 -0700 (PDT)
Received: from a-oben.org (squint.a-oben.org [144.76.111.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 774C2131C70 for <tls@ietf.org>; Mon, 17 Jul 2017 09:40:43 -0700 (PDT)
Received: from [91.183.52.43] (helo=[192.168.1.189]) by a-oben.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.88) (envelope-from <simon.tls@a-oben.org>) id 1dX94b-0005cf-EK for tls@ietf.org; Mon, 17 Jul 2017 18:40:41 +0200
To: "tls@ietf.org" <tls@ietf.org>
References: <CABkgnnU8ho7OZpeF=BfEZWYkt1=3ULjny8hcwvp3nnaCBtbbhQ@mail.gmail.com> <2A9492F7-B5C5-49E5-A663-8255C968978D@arbor.net> <CABkgnnX7w0+iH=uV7LRKnsVokVWpCrF1ZpTNhSXsnZaStJw2cQ@mail.gmail.com> <FDDB46BC-876C-49FC-9DAE-05C61BB5EFC9@vigilsec.com> <9C81BE7B-7C21-4504-B60D-96BA95C3D2FD@arbor.net> <CAEa9xj55jzch-v0mysbRSryNM0Y7Bdtevmrc3+FVxMO8EP5zWA@mail.gmail.com> <CC3CE5F8-C8C2-4A70-829D-483E26D20733@arbor.net> <CAEa9xj5eR6b_+CsSDArMWWr-u8hx5B81kDVEMEX8sgfUeMUS8g@mail.gmail.com> <C3B01C35-E3A2-4A8B-9DD7-D6E4153ED39F@arbor.net> <CAEa9xj6p0y9ZzxLJvtv9GDzzfs5s13nnLqm=4_fNDPGV+=Od8Q@mail.gmail.com> <BE4E8E4A-51FC-4211-A16F-EBA8B3F01757@arbor.net> <CAEa9xj7sVcGAR03f3pWsK7giFqmu7GRHN4gqh9Nb6uEAOM88Yw@mail.gmail.com> <637C97B3-DA63-4F61-8EB5-D938136D520C@arbor.net>
From: Simon Friedberger <simon.tls@a-oben.org>
Message-ID: <dfc93b70-0fa4-6cac-8c3d-5f2ff771f85d@a-oben.org>
Date: Mon, 17 Jul 2017 18:40:41 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <637C97B3-DA63-4F61-8EB5-D938136D520C@arbor.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6ZKmBJBVaakHdWrzL86CoQyouqo>
Subject: Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 16:40:45 -0000


On 17/07/17 17:32, Roland Dobbins wrote:
> Sure - detecting attempted additional compromise and lateral movement
> utilizing exploits within TLS-encrypted traffic.
This is about decrypting traffic inside your network.


> Another is detecting (and subsequent blocking of) the download of
> malware by intranet users.
>
> Detecting data exfiltration is also a common use of this technique in
> intranet environments.
This is about decrypting traffic that goes outside of your network.


I'm not sure the same considerations should apply to both those situations.

v2.23.0 | Report a Bug | By Email