Re: [TLS] TLS Impact on Network Security draft updated
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 23 July 2019 20:14 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4795C120987 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 13:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0ScxnySdAa4 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 13:14:45 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA3121209C6 for <tls@ietf.org>; Tue, 23 Jul 2019 13:14:45 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id E4A362F8F5; Tue, 23 Jul 2019 16:14:44 -0400 (EDT)
Date: Tue, 23 Jul 2019 16:14:44 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20190723201444.GB98742@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <6AF48228-19C2-41C7-BA86-BA16940C3CFF@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6AF48228-19C2-41C7-BA86-BA16940C3CFF@cisco.com>
User-Agent: Mutt/1.11.4 (2019-03-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XdI-CgNpYag5m4d3FZ36bzim2Uc>
Subject: Re: [TLS] TLS Impact on Network Security draft updated
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 20:14:59 -0000
On Sun, Jul 21, 2019 at 01:51:32PM +0000, Nancy Cam-Winget (ncamwing) wrote: > Thanks to all the feedback provided, we have updated the https://tools.ietf.org/html/draft-camwinget-tls-use-cases-04 > draft. At this point, we believe the draft is stable and would like to request its publication as an informational draft. I found the language of the draft (especially the introduction) somewhat turgid and repetitive to the point of significantly detracting from readability. I think the draft needs substantial editing for simplicity and clarity. As to specific technical issues, I don't understand the point being made in Section 2.2.2 about client key shares and resumption: In TLS 1.3, the above mechanism is replaced by Pre-Shared Keys (PSK), which can be negotiated as part of an initial handshake and then used in a subsequent handshake to perform resumption using the PSK. TLS 1.3 states that the client SHOULD include a "key_share" extension to enable the server to decline resumption and fall back to a full handshake, however it is not an absolute requirement. Example scenarios that are impacted by this are middleboxes that were not part of the initial handshake, and hence do not know the PSK. If the client does not include the "key_share" extension, the middlebox cannot force a fallback to the full handshake. If the middlebox policy requires it to inspect the session, it will have to fail the connection instead. [ AFAIK, even with PSK-based resumption, and even when the client's initial key share was not acceptable to server, the server can still perform a full handshake after HRR. An MiTM middle-box can replace the server's HRR with its own, and then decline the client's PSK and perform a full handshake. ] I also found the malicious server argument in section 2.2.1 somewhat unconvincing, since malicious servers have lots of (previously) innocuous domains to choose from, or can present self-signed certificates for any SNI of their choice. The impact of TLS 1.3 is largely limited to making it more difficult to whitelist "known good" servers from MiTM inspection. With TLS 1.3 a middle box that wants to be sure to MiTM sessions to "bad" servers, must also MiTM sessions to "good" servers (in order to determine that they're really "known good"), because authenticating a "good" server is no longer possible without MiTM interception. Blacklists of "known bad" are easily bypassed even with TLS 1.2. Middleboxes that are limited to closing TCP connections for the "known bad", are not particularly effective with TLS 1.2, and will be increasingly less so as attacks become more sophisticated. A middlebox that wants to detect the bad must do MiTM interception, and with TLS 1.3 will need to intercept *all* traffic, even the previously "known good", once the "known good" peer deploys TLS 1.3. Yes, optimizing out interception of the "authenticated known good" is no longer possible. -- Viktor.
- [TLS] TLS Impact on Network Security draft updated Nancy Cam-Winget (ncamwing)
- Re: [TLS] TLS Impact on Network Security draft up… Eric Rescorla
- Re: [TLS] TLS Impact on Network Security draft up… Bret Jordan
- Re: [TLS] TLS Impact on Network Security draft up… Watson Ladd
- Re: [TLS] TLS Impact on Network Security draft up… Tony Arcieri
- Re: [TLS] TLS Impact on Network Security draft up… Viktor Dukhovni
- Re: [TLS] TLS Impact on Network Security draft up… Mark O
- Re: [TLS] TLS Impact on Network Security draft up… Ackermann, Michael
- Re: [TLS] TLS Impact on Network Security draft up… Flemming Andreasen
- Re: [TLS] TLS Impact on Network Security draft up… Sean Turner
- Re: [TLS] TLS Impact on Network Security draft up… Flemming Andreasen
- Re: [TLS] TLS Impact on Network Security draft up… Flemming Andreasen
- Re: [TLS] TLS Impact on Network Security draft up… Salz, Rich
- Re: [TLS] TLS Impact on Network Security draft up… Watson Ladd
- Re: [TLS] TLS Impact on Network Security draft up… Bret Jordan
- Re: [TLS] TLS Impact on Network Security draft up… Arnaud.Taddei.IETF
- Re: [TLS] TLS Impact on Network Security draft up… Ackermann, Michael
- Re: [TLS] TLS Impact on Network Security draft up… Dennis Jackson
- Re: [TLS] TLS Impact on Network Security draft up… Eric Rescorla
- Re: [TLS] TLS Impact on Network Security draft up… Filippo Valsorda
- Re: [TLS] TLS Impact on Network Security draft up… Bret Jordan
- Re: [TLS] TLS Impact on Network Security draft up… Watson Ladd
- Re: [TLS] TLS Impact on Network Security draft up… Dennis Jackson
- Re: [TLS] TLS Impact on Network Security draft up… Bret Jordan
- Re: [TLS] TLS Impact on Network Security draft up… Salz, Rich
- Re: [TLS] TLS Impact on Network Security draft up… Benjamin Kaduk
- Re: [TLS] TLS Impact on Network Security draft up… Ackermann, Michael
- Re: [TLS] TLS Impact on Network Security draft up… Watson Ladd
- Re: [TLS] TLS Impact on Network Security draft up… Dennis Jackson
- Re: [TLS] TLS Impact on Network Security draft up… Joseph Birr-Pixton
- Re: [TLS] TLS Impact on Network Security draft up… Benjamin Kaduk
- Re: [TLS] TLS Impact on Network Security draft up… Hubert Kario
- Re: [TLS] TLS Impact on Network Security draft up… Salz, Rich
- Re: [TLS] TLS Impact on Network Security draft up… Stephen Farrell
- [TLS] redirecting discussion (was Re: TLS Impact … Sean Turner
- Re: [TLS] TLS Impact on Network Security draft up… N6Ghost