Re: [TLS] network-based security solution use cases

Florian Weimer <> Sun, 05 November 2017 15:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D21C113FB1D for <>; Sun, 5 Nov 2017 07:31:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9MB9XPItRISK for <>; Sun, 5 Nov 2017 07:31:56 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BE2E213FB1F for <>; Sun, 5 Nov 2017 07:31:56 -0800 (PST)
Received: from [] ( by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1eBMts-0004SO-Nx; Sun, 05 Nov 2017 15:31:52 +0000
Received: from fw by with local (Exim 4.89) (envelope-from <>) id 1eBMts-00061W-Ie; Sun, 05 Nov 2017 16:31:52 +0100
From: Florian Weimer <>
To: "Nancy Cam-Winget \(ncamwing\)" <>
Cc: "tls\" <>
References: <>
Date: Sun, 05 Nov 2017 16:31:52 +0100
In-Reply-To: <> (Nancy Cam-Winget's message of "Sat, 4 Nov 2017 01:49:54 +0000")
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] network-based security solution use cases
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 05 Nov 2017 15:31:59 -0000

* Nancy Cam-Winget:

> @IETF99, awareness was raised to some of the security WGs (thanks
> Kathleen ☺) that TLS 1.3 will obscure visibility currently afforded in
> TLS 1.2 and asked what the implications would be for the security
> solutions today.
> is an
> initial draft to describe some of the impacts relating to current
> network security solutions.  The goal of the draft is NOT to propose
> any solution as a few have been proposed, but rather to raise
> awareness to how current network-based security solutions work today
> and their impact on them based on the current TLS 1.3 specification.

I'm not sure if this approach is useful, I'm afraid.  The draft is
basically a collection of man-in-the-middle attacks many people would
consider benign.  It's unclear where the line is drawn: traffic
optimization/compression and ad suppression/replacement aren't
mentioned, for example, and I would expect both to be rather low on
the scale of offensiveness.

What the draft is essentially arguing is that many user cannot afford
end-to-end encryption for various reasons, some legal, some technical,
some political.  But it seems to me that this is currently not a
viewpoint shared by the IETF.