Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)

Alex C <> Sat, 24 March 2018 06:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 42844126C22 for <>; Fri, 23 Mar 2018 23:26:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3UtLtP6w4O6p for <>; Fri, 23 Mar 2018 23:26:14 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 12C35124BE8 for <>; Fri, 23 Mar 2018 23:26:14 -0700 (PDT)
Received: by with SMTP id a22-v6so21241401lfg.9 for <>; Fri, 23 Mar 2018 23:26:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SU2RoLO4Eyt+P2p97XwOo0NK/qjDfz4cFyu4X2aRfm4=; b=NF98Fmd3xy6wa+TLACdhDOkCZM6nwmzcP/l0XOhBtW82XvTkIbLci25aFlysZ5dtas pmBIJeRLpnycgPFNnwwnRgCnWdIv9vJAJLsXae4eVPkMutlYFNOMxvcO3U9RnPpo3e+d loBgxNQZf7KKsmOIz759rcxaUXMrS5J3q1YJ6Cu992GQwe5jRSqhCj/8Ub2TWHvm3vOa c4irTuihgQ6oTXDCho7JxjH4tdPYitcDEYJGDaqvBNFHYLE8z7SVW3umsUhXylxVhgaf xO0P2xeySwAAgwrRfRq7uUdAjCkp33KSGKTJc6W1btG0sY/4xKpZZyO9ghRu/20GTMX7 kgjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SU2RoLO4Eyt+P2p97XwOo0NK/qjDfz4cFyu4X2aRfm4=; b=RwitHytavFH1nvnAG1u/QpIUnO/9T/khHYWrmWa3cTXhQPeDUgIuUsydgv2lCsXpV8 RoWg9q1+4pah0M4uBhgdmkTUE/T2tkV9GEovRBjYQpJjOw5sFUVLNUacvN5X7cvCaQBw mN6vu/L+4ipbYbcswL1IGlGN1xB2H6JqOx47o/VK4HvZ5EV8rsinIgzXpTepcRswNMpe 8xXma6586IvRwUDdfnFsKinZ1wP8dPJ1bRAbPX0JPqc+7po1j/J5tKGOdW9fhb+p06QK +rlk6re+KaVQmSQ6vQaDl6bHRUehVmaV/4NteR8PCG/0QviGM/Eed+HLM+lXB0vccK2o 7pKA==
X-Gm-Message-State: AElRT7Hxib94QvLykE1Y0iLDxaotMazbmRgvHqMZAWmaCrAn6hSYfK3g xnyunwAlS7O/ZJw3N1cBkzXZvvu53iL9TqCOBtk=
X-Google-Smtp-Source: AIpwx48wxdkM+UONNBX9hLUDqxSp3fDEzxLFGgkVolebMu0uq9iCsLfbqT6jv3PvOtpcM5lefQ3fB8IzTXZlbHqqf3s=
X-Received: by with SMTP id h2mr4976878ljg.37.1521872772224; Fri, 23 Mar 2018 23:26:12 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 23 Mar 2018 23:26:11 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Alex C <>
Date: Sat, 24 Mar 2018 19:26:11 +1300
Message-ID: <>
To: Dan Brown <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="089e0823a91cfb5c9c0568229df8"
Archived-At: <>
Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 24 Mar 2018 06:26:16 -0000

As I understand it (poorly!) the idea is exactly to have a single system on
the network that monitors all traffic in cleartext.
It's fundamentally impossible to prevent someone from copying all their
traffic to another system in cleartext. If they're going to do it, they
The functionality is exactly the same as what could be achieved by
installing monitoring software on each endpoint, but the logistics are
different since the monitoring is centralized.

The debate seems to be around: whether it should be standardized, and
whether the other endpoint (outside the monitored network) should know
about it.

On Tue, Mar 20, 2018 at 4:18 AM, Dan Brown <> wrote:

> Dear TLS WG,
> Enterprise "visibility" is a network issue, not an Internet issue, and
> thus, to my _limited_ understanding, should be out of scope of IETF.
> Nonetheless, enterprise security is important, and enterprise networks use
> Internet technology internally, so the topic is perhaps still procedurally
> discussable, so I continue.  I (naively) worry that "visibility" is also
> "siphonability", creating an incentive for a Snowden-sized (but malicious)
> leak, which could hurt enterprises and their customers.  In other words:
> who watches the watchers; avoid a single point of weakness; prevent social
> engineering opportunities; decentralize power; make sure the cure is not
> worse than the ailment; etc.  It is not yet clear (to me) which attackers
> "visibility" would thwart, but if it is just naïve (but plentiful)
> insiders, then I imagine the optimal solution would be better endpoint
> management (which may be a more difficult road than "visibility", but
> should still be the long-term solution).
> Best regards,
> Dan
> PS: I never directly worked on enterprise security (usually, I just think
> about the math of basic crypto primitives), but I don't recall hearing
> about such a "visibility" feature in the enterprise security work of
> colleagues (whom I do _not_ speak for), e.g. one system used forward-secure
> ECMQV to establish a connection between smartphones and the enterprise
> network.
> _______________________________________________
> TLS mailing list