IETF Logo Mail Archive

Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)

"Dobbins, Roland" <rdobbins@arbor.net> Mon, 17 July 2017 14:11 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47309131BEF for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 07:11:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpLpGGlNz_5x for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 07:11:27 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0136.outbound.protection.outlook.com [104.47.37.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1420A131BE5 for <tls@ietf.org>; Mon, 17 Jul 2017 07:11:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GG0TY7Bb1U6ROgH0AWm4exLKEhJYppOhSJoisXTlAwg=; b=lJfRxyfIADw1HtFFASo9z84RSYSnGyGvyutmiBEANu+KMptgX1JinrqEult+mTJvAoZvE6suKOsotkRYe4ktTqAKh35G3y3cJWvhqjvcws9mJYGfEhL9w8QHKwsQPttCchvpu4DprZlCGuC6vWY9VzpcZaf5yg4L4w9JnjbNcdA=
Received: from DM2PR0101MB1039.prod.exchangelabs.com (10.160.129.156) by DM2PR0101MB1037.prod.exchangelabs.com (10.160.129.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Mon, 17 Jul 2017 14:11:26 +0000
Received: from DM2PR0101MB1039.prod.exchangelabs.com ([fe80::810f:2255:5d85:2fc7]) by DM2PR0101MB1039.prod.exchangelabs.com ([fe80::810f:2255:5d85:2fc7%17]) with mapi id 15.01.1261.022; Mon, 17 Jul 2017 14:11:25 +0000
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: Carl Mehner <c@cem.me>
CC: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
Thread-Index: AQHS/vRnKFRxxE429kKncr36no97/qJX7moAgAANgG2AAAOcAIAABadKgAABXACAAAPrLoAAAY6AgAADO3Y=
Date: Mon, 17 Jul 2017 14:11:25 +0000
Message-ID: <BE4E8E4A-51FC-4211-A16F-EBA8B3F01757@arbor.net>
References: <CABkgnnU8ho7OZpeF=BfEZWYkt1=3ULjny8hcwvp3nnaCBtbbhQ@mail.gmail.com> <2A9492F7-B5C5-49E5-A663-8255C968978D@arbor.net> <CABkgnnX7w0+iH=uV7LRKnsVokVWpCrF1ZpTNhSXsnZaStJw2cQ@mail.gmail.com> <FDDB46BC-876C-49FC-9DAE-05C61BB5EFC9@vigilsec.com> <9C81BE7B-7C21-4504-B60D-96BA95C3D2FD@arbor.net> <CAEa9xj55jzch-v0mysbRSryNM0Y7Bdtevmrc3+FVxMO8EP5zWA@mail.gmail.com> <CC3CE5F8-C8C2-4A70-829D-483E26D20733@arbor.net> <CAEa9xj5eR6b_+CsSDArMWWr-u8hx5B81kDVEMEX8sgfUeMUS8g@mail.gmail.com> <C3B01C35-E3A2-4A8B-9DD7-D6E4153ED39F@arbor.net>, <CAEa9xj6p0y9ZzxLJvtv9GDzzfs5s13nnLqm=4_fNDPGV+=Od8Q@mail.gmail.com>
In-Reply-To: <CAEa9xj6p0y9ZzxLJvtv9GDzzfs5s13nnLqm=4_fNDPGV+=Od8Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cem.me; dkim=none (message not signed) header.d=none;cem.me; dmarc=none action=none header.from=arbor.net;
x-originating-ip: [88.208.89.131]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM2PR0101MB1037; 7:gKvJS5yFagwQL0h7cbCBbOixVmH0Weei2h8SrVnKvnoqJz3n7FA6f8Vk14fkFFDwLjhR58HWsTAea3WqiyrqHjcoKL5jEzM0ak3piiK84a4ZGFANsgiu/QyidqQWSf6ejBv74e1xGO66PkgwbSYIdFKWwHi1ffneQRaCb2pD9ewFC1XD3xduTtPRo0N4aqbT4aEv6WuqQwaZ/EjkrUTSCprszp+L59NPGC0zkasyscNt3sNs1xdg4Cix2s2LelvGD8gtiJGdBbPiRbC1v5yLuF0BDhaS2IgZDZpEvlxX3qbAj+5DRynf487hM8VM86LXru2UmAjDIHOTxUfNHu0u4VmfaphlqfgntGHQxvrVqK5V9qfmPUji078F0JllrY3Wuy7pqlX78SnPQp9oARh1r06pTwNB5BqI3mpNy8nx1urJkmZ1UR2k8jaPRuoF5pzGUdXGfFWOiDB+Wk67iAXdnqSbnMlSeMuviOOdvBeMkb+dNSOPTuZ9u6oApY+VV/Wl9eY7EoP+n4a3QRzOdgcxIICf7OnVS/pyPl5fG/+h6DMG5Fu9ooiX/VSy0mZDFl8TzJGKJg+zIWw6nxcSFdvhH+nlJwVcCmlkfgcUmKuWmyUxrwNheM/FrsIjjAK56xuzXGB3TugeXaoe5ML44N2D4VwAnsF+ONCThFRPeVtZdZBJlHatxH0O1bfXQqmkCCo9wAdmt3hVZAZxuKWjkbKqdPlCddsF+nUD+5TOE0czcYEQ+JM8HMVfo8JK6QmOsSVJdcJvwM2iV4wVUbq9YGDUVVj+W8gBFol3HHQ70jqn7e8=
x-ms-office365-filtering-correlation-id: 85b275f8-5875-49b4-e62b-08d4cd1db617
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM2PR0101MB1037;
x-ms-traffictypediagnostic: DM2PR0101MB1037:
x-exchange-antispam-report-test: UriScan:(236129657087228)(192374486261705)(50300203121483);
x-microsoft-antispam-prvs: <DM2PR0101MB1037620E82669AC39BDCA803CAA00@DM2PR0101MB1037.prod.exchangelabs.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(2017060910075)(93006095)(93001095)(3002001)(100000703101)(100105400095)(10201501046)(6041248)(20161123558100)(20161123564025)(20161123562025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR0101MB1037; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR0101MB1037;
x-forefront-prvs: 0371762FE7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39450400003)(39840400002)(39400400002)(39850400002)(24454002)(6246003)(230783001)(5660300001)(50986999)(53936002)(76176999)(54356999)(66066001)(3660700001)(99286003)(36756003)(236005)(6512007)(54896002)(3280700002)(93886004)(54906002)(2900100001)(6916009)(82746002)(83716003)(4326008)(189998001)(14454004)(6506006)(33656002)(6486002)(7736002)(81166006)(5250100002)(8676002)(53546010)(2950100002)(102836003)(8936002)(229853002)(25786009)(86362001)(2906002)(6436002)(478600001)(38730400002)(6116002)(3846002)(110136004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0101MB1037; H:DM2PR0101MB1039.prod.exchangelabs.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BE4E8E4A51FC4211A16FEBA8B3F01757arbornet_"
MIME-Version: 1.0
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2017 14:11:25.6972 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 54f11205-d4aa-4809-bd36-0b542199c5b2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0101MB1037
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KAoJoKC-9SWPQOmRH5z4ger_SK4>
Subject: Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 14:11:29 -0000


On Jul 17, 2017, at 15:59, Carl Mehner <c@cem.me<mailto:c@cem.me>> wrote:

the only way that this draft would help you
with malware analyzing)

This statement is factually incorrect.  It’s not the only way, as I've just explained.

Again, why are you trying to pretend that the use of this technique is not prevalent nor important in the security context, when it is in fact quite prevalent & important, & has been for many years?

And why are you unable to understand that that in the case of an additional layer of attacker-generated crypto nestled within a TLS tunnel, as you posited, that the ability to simply detect the presence of such an additional layer of unexpected crypto, even without the ability to immediately decrypt it, has substantial value in a security context?

Are you unfamiliar with the concept of traffic analysis, in the crypto sense of the term?

-----------------------------------
Roland Dobbins <rdobbins@arbor.net<mailto:rdobbins@arbor.net>>

v2.23.0 | Report a Bug | By Email