Re: [TLS] TLS Proxy Server Extension

[Matt McCutchen <matt@mattmccutchen.net>]

On Tue, 2011-08-02 at 09:19 +0300, Yoav Nir wrote:
> Decryption-only through sharing of keys would not work. Some of the
> processing to be done cannot be done by a passive eavesdropper. For
> example, if you send me an MS-Word document to my gmail account, and I
> would like to download it, the way to check for malware is for the
> proxy to download the entire file, scan it for malware, and then
> forward it to my computer. A passive eavesdropper would finish
> collecting the file too late - by then I already have it. An active
> proxy is necessary.

You are confusing layers.  TLS relies on the flow control of the
underlying stream.  The proxy would have to split the TCP connection in
order to collect the entire file, but it would ultimately send the
collected TLS records on to the client verbatim, so the TLS-level
behavior would be passive.

> I think he's missing the baseline. The baseline is that TLS proxies
> work well enough that companies deploy then. Even in Europe. There are
> some downsides to using them: client certificates and PSK suites don't
> work. Certificate and CA pinning don't work. The user cannot verify
> the actual server certificate chain. The EV indication is gone. But
> all these are not blocking administrators from deploying TLS proxies.
> They may be blocking sites from using client certificates or PSK
> suites, although there are plenty of other things blocking those (but
> that's from another thread)
> 
> This extension may help with those deficiencies. With or without the
> extension, the existence (or possibility) of the proxy is visible to
> the user, because you need to install a CA certificate. A user can
> choose not to use the corporate network for accessing HTTPS sites
> where he's not comfortable with having the content inspected. The fact
> that the server is not similarly given a choice may be a problem, but
> that is a property of using TLS without client authentication. The
> extension can help, but only if the proxy uses it.

All agreed.

A person using a corporate laptop has no expectation of privacy from the
company.  The proxy extension just offers a technically more capable
solution for that scenario.

No one is proposing, per se, that TLS interception be used in any more
places than it is now.  Of course, interception may now be used in
places where it was always desired but could not be used before due to
protocol issues.  However, it's hard to believe that the proxy extension
would change the market and/or legal forces that currently restrain ISPs
from routinely intercepting customer traffic, if that is what Martin is
worried about.

The TLS WG may have a personal distaste for the use case addressed by
the extension.  But I would reason that the use case is valid, thus the
extension is worthy of standardization to get interoperable
implementations, and the TLS WG is the best venue available for
technical discussion.  As David explained
(https://www.ietf.org/mail-archive/web/tls/current/msg07920.html), the
use case does not constitute wiretapping as defined in RFC 2804.

-- 
Matt