IETF Logo Mail Archive

Re: [TLS] TLS Impact on Network Security draft updated

Sean Turner <sean@sn3rd.com> Tue, 23 July 2019 20:51 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AACEF1209BB for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 13:51:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vzlXzQVSjgCZ for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 13:51:52 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EA8D1209B1 for <tls@ietf.org>; Tue, 23 Jul 2019 13:51:52 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id 44so12237878qtg.11 for <tls@ietf.org>; Tue, 23 Jul 2019 13:51:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yj8AqBxGazdHsz8y3crUcCwVWptiGX4PJDhrJB7Byew=; b=YEnC8mI/B9W8fG5ny9K3l5obyPpLqXvTLapCRWx2E6jVtLJKIx4QRsequkB/ICcg/f 2erKPQoVJYT81f6KuUkE8S+0ABtGQzieLRHNUfMcOooLDaKA7d3tR7uu9BM30PzIoZUf tuDdNSvd3NLWZpVcR7SyqMZOx4smZx04t4YqY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yj8AqBxGazdHsz8y3crUcCwVWptiGX4PJDhrJB7Byew=; b=Xlf9x0jZvREJc7nYTkLrYIJwEUTY8wF9IshUEtLOWLEtRAAbkMmd6Q9TjiEeuHDGkl sdIaUGCSLg83CyLXgzHf/GU+m27o5b6FS8MycUIKPBpobhI0nziLhwuppauJ8A/kJCnX UKcIceTGaWEd3jui1umNLyOvPVus6vn6Lvwcjz+vV900VHteayitml9RmaEjuEQHKmiV Ozv4EwxGR7hocYa1yARixPax0rwPffPmLXenhWmBrqx96ag3mS/Hv1taLgbL9uRydTIf 1ziD8v+mOe/SatdCiSLr65W8akHTmFUy6aVH6KYsS9xlvQ1z7TDmMPW37vcACFSCtt27 7duw==
X-Gm-Message-State: APjAAAV/ytDA0/tlb49jslW69qkaWLULrsKqmjRdo9wBRca2PJgS8ttk h2QokRwE3q66rQ8x4+oAXCWlg0nvhHY=
X-Google-Smtp-Source: APXvYqzZL5qBGBTshUvJvdJfkGdtlUP3aEdNUI6uf0pIOtiqWoabMmH1bTfBVoRBOVOCO3g/+p4frQ==
X-Received: by 2002:ac8:43d8:: with SMTP id w24mr54708165qtn.25.1563915111708; Tue, 23 Jul 2019 13:51:51 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:851c:9e9f:d285:b1b? ([2001:67c:370:128:851c:9e9f:d285:b1b]) by smtp.gmail.com with ESMTPSA id u18sm18906914qkj.98.2019.07.23.13.51.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Jul 2019 13:51:51 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CAHOTMVJSqZxstAs6nBiXaqWDBLY8R=gYZ4WooYVXGax0UmRL-w@mail.gmail.com>
Date: Tue, 23 Jul 2019 16:51:50 -0400
Cc: Nancy Cam-Winget <ncamwing@cisco.com>, "tls@ietf.org" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E29654E9-4AE7-4558-910D-133529ABBCC4@sn3rd.com>
References: <6AF48228-19C2-41C7-BA86-BA16940C3CFF@cisco.com> <CAHOTMVJSqZxstAs6nBiXaqWDBLY8R=gYZ4WooYVXGax0UmRL-w@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SxETsnu9F4p2rr2jDALZeZVubWM>
Subject: Re: [TLS] TLS Impact on Network Security draft updated
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 20:52:06 -0000

Tony,

While you may have concerns or otherwise disagree with the contents of this draft, let’s please keep discussion on this list, on all issues, polite and professional.

spt
(as co-chair)

> On Jul 23, 2019, at 16:05, Tony Arcieri <bascule@gmail.com> wrote:
> 
> On Sun, Jul 21, 2019 at 6:51 AM Nancy Cam-Winget (ncamwing) <ncamwing@cisco..com> wrote:
> Hi,
> 
> Thanks to all the feedback provided, we have updated the https://tools.ietf.org/html/draft-camwinget-tls-use-cases-04
> 
> draft.  At this point, we believe the draft is stable and would like to request its publication as an informational draft.
> 
> 
> I read this draft as the latest attempt in a disinformation campaign by manufacturers and users of middleboxes that passively decrypt TLS connections to politicize and reframe the argument around what is, at its core, a fundamentally insecure practice which is incompatible with technically sound and highly desirable protocol improvements to TLS.
> 
> I implore you stop using overly broad terminology, euphemisms, weasel words, and other deceptive language to argue your points.
> 
> This draft is titled "TLS 1.3 Impact on Network-Based Security", but the subtext is quite clearly the much narrower subfield of middlebox TLS decryption. By using such a grandiose title which is deceptively hiding the true subject matter, you are implying that middleboxes are the sum total of network security.
> 
> The draft begins "Enterprises [...] need to defend their information systems from attacks originating from both inside and outside their networks." I am co-owner of a company which heavily leverages firewalls for layer 3/4 network security in conjunction with TLS. We care deeply about network security, and believe that our network is *more secure* specifically because we *don't* perform middlebox interception of TLS.
> 
> I consider our company to be in the category of enterprise TLS users, and as an enterprise TLS user who cares deeply about network security, I do not identify whatsoever with the claims this draft is making about the needs of enterprise TLS users as a whole. In as much as what it describes to "network security", it is but one niche consideration within a vastly broader field, and one which is increasingly controversial.
> 
> I will point out, since you appear to work at Cisco, that your company works on approaches to network security (e.g. malware detection) which avoid decrypting TLS:
> 
> https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption
> 
> There is an entire world of network IDS systems beyond middleboxes which passively decrypt TLS.
> 
> It is factually inaccurate for this draft to be described as "TLS 1.3 Impact on Network-Based Security". If you are going to write a draft about the impact of TLS 1.3 on middleboxes for passive TLS decryption, please call a spade a spade and don't try to hide your true intentions under a bunch of weasel words and overly broad claims that make it sound like middlebox-related TLS decryption problems are the end of network security as we know it.
> 
> My 2c, on behalf of non-middlebox-using enterprise TLS users who feel that attempts by middlebox-using enterprise TLS users to weaken TLS in order to retain compatibility with their traffic decryption appliances is a threat to the security of our enterprise TLS deployments.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email