Re: [TLS] Breaking into TLS to protect customers

Ion Larranaga Azcue <> Thu, 15 March 2018 18:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6BF3E12DB6D for <>; Thu, 15 Mar 2018 11:08:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jSZXDQZyHZ3Y for <>; Thu, 15 Mar 2018 11:08:46 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B80FD12DA4A for <>; Thu, 15 Mar 2018 11:08:41 -0700 (PDT)
From: Ion Larranaga Azcue <>
To: Kathleen Moriarty <>, Carl Mehner <>
CC: "" <>
Thread-Topic: [TLS] Breaking into TLS to protect customers
Date: Thu, 15 Mar 2018 18:08:38 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: es-ES, pt-PT, en-US
Content-Language: es-ES
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
x-exclaimer-md-config: 006f0bbf-7968-42ed-bdf3-292cea52a85c
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] Breaking into TLS to protect customers
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Mar 2018 18:08:52 -0000

> -----Mensaje original-----
> De: Kathleen Moriarty []
> Enviado el: jueves, 15 de marzo de 2018 18:42
> Para: Carl Mehner <>;
> CC: Ion Larranaga Azcue <>;;
> Asunto: Re: [TLS] Breaking into TLS to protect customers
> The example I provided is not about malware, it was about lateral movement
> by threat actors within a network.  The initial compromise that led to access
> within the network may have been through malware or some other
> vulnerability, but I do think monitoring on an internal network (encrypted or
> not, through logs or on the wire) is the use case for attack detection that is
> plausible with the proposed approach.

Ok, now it's clear for me. I don't know why I thought I had seen a couple of times these last days people talking about the need of IPS to decrypt traffic going from the enterprise to internet, trying to detect exfiltration of data or connections to a malware C&C, which is not the scope of the draft, and I thought we were starting to veer off-course in the discussion.

As usually happens, I've been looking for those previous messages (not too hard I must admit) and I have been unable to find them, so I probably misunderstood what someone meant...

My bad!