Re: [TLS] draft-green-tls-static-dh-in-tls13-01

"Blumenthal, Uri - 0553 - MITLL" <> Mon, 17 July 2017 14:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F3EB2131BB0 for <>; Mon, 17 Jul 2017 07:04:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cbEF3stY1QjB for <>; Mon, 17 Jul 2017 07:04:36 -0700 (PDT)
Received: from (LLMX2.LL.MIT.EDU []) by (Postfix) with ESMTP id 755B3129482 for <>; Mon, 17 Jul 2017 07:04:36 -0700 (PDT)
Received: from ( by (unknown) with ESMTP id v6HE4ZfX009776 for <>; Mon, 17 Jul 2017 10:04:35 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: "" <>
Thread-Topic: [TLS] draft-green-tls-static-dh-in-tls13-01
Date: Mon, 17 Jul 2017 14:04:34 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.24.0.170702
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-17_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707170220
Archived-At: <>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Jul 2017 14:04:43 -0000

A higher-level view on this issue.

TLS has been designed as a protocol that allows two entities to communicate securely over a network controlled by an adversary, including abusive authorities.

“But we (the (network) authorities) are the good guys, and we need to break the guarantees TLS provides so we can catch criminals – and here is how we propose to break TLS-1.3”. 

Considering that unless at least one of the end-points chooses to comply with the “rules” it will not work – the claim that this measure is to help the good guys does not sound very candid.

Who is the intended target of this mechanism? What kind of criminals is it supposed to catch/detect? Surely not the malware that penetrated your infrastructure and tries to “call home”?

History shows that criminals violate laws, regulations, and even network protocols (:-) – that’s why they called criminals. Criminals also proved capable of creating quite sophisticated malware. The proponents of the “broken TLS” somehow expect that those criminals would use weakened crypto for the convenience of the network police. How much sense does this make? Experience shows that criminals use not just cutting edge – bleeding edge crypto. For example, consider Confiker. Plus, there are many ways to foil this proposed mechanism – for example, super-encrypting the data before transmission.

Then there’s an issue of the abuses. First, not all of the “legitimate” authorities are “good guys” (all the time :). Second, I’m not aware of any “network security” tool that hasn’t been subverted at some point in time. 

The likely result of the “static-dh-…” proposal is improved mass surveillance by authorities, and exploits of this mechanism by the organized crime.
To those who need that surveillance: stay with TLS-1.2. An important goal of TLS-1.3 is preventing the possibility of this surveillance.

To everybody: you can’t have your cake and eat it too. 
Either you have PFS and the bad guys will benefit from it too (so you need to detect and fight them using other methods), or only the bad guys have PFS and you might [0] detect them because their “protection quality” stands out amidst the ocean of the automatically-inspected & censored traffic.

[0] “Might” rather than “would”. Because there are well-known ways of hiding the presence of encryption, at the cost of increase of the ciphertext size. The hope that the encrypted traffic would stand out is unfounded. Considering how fast the attack sophistication is evolving, the likelihood that “they” would employ other countermeasures, but ignore this one is fairly low.