Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)

Vakul Garg <vakul.garg@nxp.com> Fri, 30 March 2018 09:42 UTC

Return-Path: <vakul.garg@nxp.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 972B712708C for <tls@ietfa.amsl.com>; Fri, 30 Mar 2018 02:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nxp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dms3jod7tjjS for <tls@ietfa.amsl.com>; Fri, 30 Mar 2018 02:42:27 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0629.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1e::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F31A1200C1 for <tls@ietf.org>; Fri, 30 Mar 2018 02:42:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=MvqAdHA5kgSkyrMXPgLbiQZW/vj9EVOiWuvsUVj3mKY=; b=ZRY5zQQWSSxllvaaB17fdiouy0aUnjay5C1EF3ieJhyxFjeu3tB4UP7zqTHqe7KMPJa3VxbhRQJHF1VQzS8bzTA+jiXkg2D/vbcrSr+kD0ywV69M36r7Wm+nmkX0bPX02Wdm9eLr4y1bZDEtWL4La2fiFSiga63s7UQMQknP6cE=
Received: from DB7PR04MB4252.eurprd04.prod.outlook.com (52.135.131.26) by DB7PR04MB4124.eurprd04.prod.outlook.com (52.135.130.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.10; Fri, 30 Mar 2018 09:42:23 +0000
Received: from DB7PR04MB4252.eurprd04.prod.outlook.com ([fe80::1019:27b3:e75e:2c49]) by DB7PR04MB4252.eurprd04.prod.outlook.com ([fe80::1019:27b3:e75e:2c49%13]) with mapi id 15.20.0609.012; Fri, 30 Mar 2018 09:42:23 +0000
From: Vakul Garg <vakul.garg@nxp.com>
To: "mrex@sap.com" <mrex@sap.com>, Steve Fenter <steven.fenter58@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
Thread-Index: AQHTw6eOMnwc4T8JRDihe6zQIW66uKPiZDYAgAPqSYCAAj9zgA==
Date: Fri, 30 Mar 2018 09:42:23 +0000
Message-ID: <DB7PR04MB42529981694A3FDCD0ADD96E8BA10@DB7PR04MB4252.eurprd04.prod.outlook.com>
References: <1521920255951.94271@s21sec.com> <03EC7170-1559-4D1B-ABB0-552DC5C2A3B0@gmail.com> <20180328231713.6B3D9409B@ld9781.wdf.sap.corp>
In-Reply-To: <20180328231713.6B3D9409B@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=vakul.garg@nxp.com;
x-originating-ip: [146.196.38.207]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB7PR04MB4124; 7:sCwS04cmJkOhx1L+vWwOH13750x9k8d3hW6VvpyaJKTBSFHQziPkKk4YpUKJlCDHnLFUNPjDsCcD5haFqP/TWpAzdGITm7sK4XJwYuwxhSDvtIex/Buv0L9o2BlRYWNb1QIzkCOIOvkFGkUrlSgJZYz0/2Oxh1QQgGL86t7BGfYr2q/OHYOVUWx0LtAmn+6hmo+CHxjXl4u6kEm50resnmkyea6Lb7xahj6rYeuDsgALaxqznjVDHY9uUN3Wglwh
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 7a95df6d-f92b-4437-7293-08d596228a81
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DB7PR04MB4124;
x-ms-traffictypediagnostic: DB7PR04MB4124:
x-microsoft-antispam-prvs: <DB7PR04MB4124C8D45B8DC621A4DBEAD58BA10@DB7PR04MB4124.eurprd04.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(72170088055959)(189930954265078)(85827821059158)(45079756050767)(81227570615382);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231221)(944501327)(52105095)(3002001)(93006095)(93001095)(10201501046)(6055026)(6041310)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:DB7PR04MB4124; BCL:0; PCL:0; RULEID:; SRVR:DB7PR04MB4124;
x-forefront-prvs: 06274D1C43
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(376002)(39380400002)(39860400002)(346002)(189003)(13464003)(199004)(2900100001)(4326008)(229853002)(3660700001)(106356001)(39060400002)(6506007)(45080400002)(99286004)(33656002)(25786009)(5660300001)(3280700002)(74316002)(8656006)(486005)(76176011)(7736002)(7696005)(305945005)(53546011)(8676002)(476003)(81166006)(486005)(81156014)(3846002)(9686003)(6246003)(53936002)(66066001)(55016002)(6436002)(97736004)(966005)(6306002)(110136005)(14454004)(6116002)(446003)(8936002)(316002)(11346002)(102836004)(5250100002)(2501003)(86362001)(478600001)(105586002)(26005)(68736007)(186003)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR04MB4124; H:DB7PR04MB4252.eurprd04.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: bl47iOrSMCjGtlUt+sIeHRedvRgclpgbDIA0Xu4DITV6uhwgwRCQh4vHHYCt9Q1B5Nx/JbgFGSJIs4TO5ETmhpEqxgZnAz9Dd5xziLNztIn2v0LYjatFAY5FIRE5tSA82biwWr+WxbPh1xuv2il2tcqGVcenMR57pXUgCLmvI1cAh3lhlEub3igm2CpjmAeOkqy8+ZotKVXJddppGWJeAZ/8VW1a+wWNmso2AIZbPRk6D0Fcta+goR4YO+P68WcRfgL2xODqDU+IA8HEjnapljGB/n2x8GsAgpbw7hySej7fynNNid3SD+rD+WwBBojpmc+EzWToKM/6rr1eKTGA2z3uLE6YYz0aHDVgsL62hhWpAw8xZqhtDWbNXrRreU3rTmal3pfP9ERmlsXivOxNvLD40QK8rpyx191rYEu7hFw=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nxp.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7a95df6d-f92b-4437-7293-08d596228a81
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2018 09:42:23.8805 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR04MB4124
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SZ_aThZ6lp9dnRrb2R9I8JcXsNA>
Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2018 09:42:29 -0000

Hi Martin

> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Rex
> Sent: Thursday, March 29, 2018 4:47 AM
> To: Steve Fenter <steven.fenter58@gmail.com>;
> Cc: tls@ietf.org
> Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
> 
> Steve Fenter <steven.fenter58@gmail.com>; wrote:
> >
> > To clarify for anyone who has confusion on the enterprise TLS
> > visibility use case, I think enterprises need to be able to do
> > out-of-band decryption anywhere in the network that they own.
> 
> This is argument is so lame.
> 
> In Germany, monitoring communications between individuals or between
> individuals and legal entities, including communications over corporate
> networks, was made a serious crime in 2004 (TKG 2004) with a penalty of up
> to 5 years in prison for listening into such communication.
> 
> The world didn't end.  Really, consider it proven that there is no need.
> 
 
Could monitoring could be legally done if user provided his consent at the time of 
login into enterprise managed terminal? 
I guess that's the case in enterprise managed networks.

> There may be _desires_.  For me, those desires are no less unethical as data
> collections by apple, camebridge analytica, facebook, google, microsoft,
> whathaveyou...
> 
> .... and fortunately, for corporations in germany, such data gathering is not
> just unethical, but truely criminal by law.
> 
> 
> -Martin
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
> w.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=02%7C01%7Cvakul.garg%40n
> xp.com%7C17aacd25ee5c49568aca08d595021677%7C686ea1d3bc2b4c6fa9
> 2cd99c5c301635%7C0%7C0%7C636578758559728633&sdata=sa3hcM4C94
> %2BX826Xcu4BwvfkIFzfJiB8cjPjOh7s8pI%3D&reserved=0