Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)

Carl Mehner <c@cem.me> Mon, 17 July 2017 13:59 UTC

Return-Path: <c@cem.me>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E87B131BE6 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 06:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cem.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlKJKhADAFsP for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 06:59:52 -0700 (PDT)
Received: from mail-ua0-x229.google.com (mail-ua0-x229.google.com [IPv6:2607:f8b0:400c:c08::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8835A131BE0 for <tls@ietf.org>; Mon, 17 Jul 2017 06:59:52 -0700 (PDT)
Received: by mail-ua0-x229.google.com with SMTP id 35so48792424uax.3 for <tls@ietf.org>; Mon, 17 Jul 2017 06:59:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cem.me; s=cem; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=EApRPU7e3P701RC235Sv/IsVrE5c38/ULHJm1g5Us/c=; b=E0pbB+JvfdcbPQ9DZ7RWNN5nSYiKgQmTL1pWDG7CIICsqtfBaa1IIrYlgR4maq3Zkc WZ6WGQS2opg6vpnOAWHEx9XO6e/t/I9MJMqXcnb9t9FiksRAiqPTpDTUTwDaHumSgIRk Xz6J2ckMSa0Em9VjAfucCpZXpJ0gh/+Ts/AUc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=EApRPU7e3P701RC235Sv/IsVrE5c38/ULHJm1g5Us/c=; b=PY+WbMpDAShC6CvpWPD0Q3LBBiPyjaye7CGeRl9HJBrUuAsyRBVO15XlLzIfp04T1F 0H9L+w9l4qc84wyEF0I7VQsV0xGwcKH32S3fsynT4+b1WTa6y0Tbp8A7uWxCLE5E++B/ eydlNTZk2LX2/FhyggUdc1glsqXHjXk7rypfOSzZlJiWquOb0arssoAPWkcsJJM8e0Ds F/YQc04RfvhiXgRZojhM66btJsqoJ6SgxBgkvLmugkOUEfCR7To8SPJZFo83CLaouvtC +MkWUo8Yq8ZioAVo9jE9R6H5PWY0Z0k/Uzq3NATzP5XKacPuS0loQw7qCJ9D0fwqUdkP pb4A==
X-Gm-Message-State: AIVw1124UrwOZt2UD1aBMZHXv1R17YfbRBkPSI+PWnk4BOexnMm3Assw Z4TIZ5vtRWXmW3sKVU0dGA003KX1X7QmXMLgHA==
X-Received: by 10.159.58.204 with SMTP id q12mr2244974uag.7.1500299991533; Mon, 17 Jul 2017 06:59:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.37.174 with HTTP; Mon, 17 Jul 2017 06:59:51 -0700 (PDT)
X-Originating-IP: [172.8.175.41]
In-Reply-To: <C3B01C35-E3A2-4A8B-9DD7-D6E4153ED39F@arbor.net>
References: <CABkgnnU8ho7OZpeF=BfEZWYkt1=3ULjny8hcwvp3nnaCBtbbhQ@mail.gmail.com> <2A9492F7-B5C5-49E5-A663-8255C968978D@arbor.net> <CABkgnnX7w0+iH=uV7LRKnsVokVWpCrF1ZpTNhSXsnZaStJw2cQ@mail.gmail.com> <FDDB46BC-876C-49FC-9DAE-05C61BB5EFC9@vigilsec.com> <9C81BE7B-7C21-4504-B60D-96BA95C3D2FD@arbor.net> <CAEa9xj55jzch-v0mysbRSryNM0Y7Bdtevmrc3+FVxMO8EP5zWA@mail.gmail.com> <CC3CE5F8-C8C2-4A70-829D-483E26D20733@arbor.net> <CAEa9xj5eR6b_+CsSDArMWWr-u8hx5B81kDVEMEX8sgfUeMUS8g@mail.gmail.com> <C3B01C35-E3A2-4A8B-9DD7-D6E4153ED39F@arbor.net>
From: Carl Mehner <c@cem.me>
Date: Mon, 17 Jul 2017 08:59:51 -0500
Message-ID: <CAEa9xj6p0y9ZzxLJvtv9GDzzfs5s13nnLqm=4_fNDPGV+=Od8Q@mail.gmail.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JCAEyrEhyx2z9GBlu3Gxo5zvqyg>
Subject: Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 13:59:54 -0000

I have not heard any assertions that looking at unencrypted tls
traffic is not valuable. I agree that there are cases that it is. What
I and others have disagreed with is that the examples provided on the
list and in the draft of where it is necessary are either not
applicable, or simply 'easier' rather than necessary.
In the email below, I was trying to find out which case malware would
fall into. do you have an example of where malware would be on your
intranet using this draft (the only way that this draft would help you
with malware analyzing), if you do not, let's remove malware analysis
from this list of arguments for this draft.


On Mon, Jul 17, 2017 at 8:54 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
>
>
> On Jul 17, 2017, at 15:40, Carl Mehner <c@cem.me> wrote:
>
> Why would malware use this draft?
>
>
> Nobody said anything about malware using this draft.
>
> What I'm saying is that the ability to look inside the TLS tunnel & infer
> the presence of an additional, unexpected cryptostream - even without the
> ability to decrypt it - is quite valuable.
>
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
>
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>