Re: [TLS] chairs - please shutdown wiretapping discussion...

Yoav Nir <ynir.ietf@gmail.com> Tue, 11 July 2017 22:09 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E72D3127735 for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 15:09:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HR2JE3P8UrIe for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 15:09:08 -0700 (PDT)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA4EA12ECB3 for <tls@ietf.org>; Tue, 11 Jul 2017 15:09:07 -0700 (PDT)
Received: by mail-wr0-x231.google.com with SMTP id 77so8048733wrb.1 for <tls@ietf.org>; Tue, 11 Jul 2017 15:09:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=0+36Vun9A2Cl/lBGHdLIi55bxYrrpRHPjfLuXkRWbGA=; b=gpdntCBiIeZUuWHzfE7bvWLYZPo3SfqcTRLnXzMVDAEfX77gM8XSBpwLRaPd6RkSr6 znMXR2AMHkAp1BZ3YWWeRDC3srGhNyu81THdW1e9DJ1W0yGhECxDamkGrdLGQCEsB4QE JBGIeYGfSAyJJMJ9QTrqvrHsPMCAuM5C5/JRf/KdFoaYZjFaKwOBrsEOkYfGDPnRvQYn m3j3EzSd7B3llfbeD8LEERaQ+M8L6oRPX2D5xwxoHIipw3ylqQh2hB8Baj9pNLQvTA9h IAPd/iizxHutisOFdvrrBwL4/IC4fgAaLE92Va2iqhfg05k8jfCRwVuKLySHsV/tOlBc gQ2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=0+36Vun9A2Cl/lBGHdLIi55bxYrrpRHPjfLuXkRWbGA=; b=dNsJSo9HzmdZcE4kKCDxq5T1bBfB6KtQ82RpFCT/A83kJS7JNYetG0dZaEOENhyOQr mhRzhB664exiTWNXrwr4v0YQVOqzGP2M9Ziq44tI8woH9vyBQUr78afD3qc2eiQ5u+0O 5o4+aMM4PoRScCDFIM237TZJLJfVKw/QOFrkGri+HssUEKJXmQAKS0rEYd1guwfY1TbD sMHjwhg57IEFdB8lR23PDZ+58quFz1ECty0IpXICtENs7tGyNkj9qNYFb7Ca3B8pt9ri pwZdR+rD/QJ1BdGb0vxOmXfewGcwNmY9p7Z19IwM5tSUVUiLK7KQtDLv30tfM1r0tREX om/w==
X-Gm-Message-State: AIVw110bNCd+yCryBn+A8ShEdU8JFynSVc+gLCae2bQOZjtY005ZN41k JaXjIIJYoWtKuA==
X-Received: by 10.80.138.34 with SMTP id i31mr3913754edi.119.1499810946521; Tue, 11 Jul 2017 15:09:06 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id a25sm229241eda.44.2017.07.11.15.09.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 15:09:05 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <A97601C6-D74F-4339-9EFF-D937BD2D2D51@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_C53FEFAD-201F-4922-8E45-17E8BE2E635A"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 12 Jul 2017 01:09:02 +0300
In-Reply-To: <104f5108-751a-c8f5-45dc-bf5d7be26f35@cs.tcd.ie>
Cc: Christian Huitema <huitema@huitema.net>, Ted Lemon <mellon@fugue.com>, TLS WG <tls@ietf.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <E9640B43-B3AD-48D7-910D-F284030B5466@nist.gov> <CY4PR14MB13688370E0544C9B84BB52A3D7A90@CY4PR14MB1368.namprd14.prod.outlook.com> <9693fc25-6444-e066-94aa-47094700f188@cs.tcd.ie> <CY4PR14MB1368BA01881DD9495FE86DF0D7A90@CY4PR14MB1368.namprd14.prod.outlook.com> <d806a69c-af30-c963-a361-91075332a61b@cs.tcd.ie> <F87D7646-DC53-4EF8-A2D8-D0939A0FB351@vigilsec.com> <b9001044-83d7-805c-2a49-c2780401bbf8@cs.tcd.ie> <C4125902-CA3A-4EA8-989B-8B1CE41598FB@fugue.com> <0c87999c-9d84-9eac-c2c4-0f1fc8a70bdb@cs.tcd.ie> <6DA3E09E-5523-4EB2-88F0-2C4429114805@fugue.com> <fa6e64a2-b1c8-9c55-799b-b687b830a246@huitema.net> <26848de4-ce08-8ebd-bd67-ed3af3417166@cs.tcd.ie> <CD0E0745-EA72-41D9-87F6-B40369ED6A70@fugue.com> <bcda4dab-3590-9162-5f5c-c453f7a610ac@cs.tcd.ie> <2500C1F7-480E-44C9-BDB0-7307EB3AF6C2@fugue.com> <d9870cd0-476c-b255-16bd-594e24cd91f0@cs.tcd.ie> <eadd52ec-3f72-7483-864b-8a5251d94bfc@huitema.net> <ACB8BAC5-3560-43EF-B1FB-98F16B5B72B5@gmail.com> <104f5108-751a-c8f5-45dc-bf5d7be26f35@cs.tcd.ie>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YarYJYsuOKRVFMdtRXhYPBpU97k>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 22:09:10 -0000

> On 12 Jul 2017, at 0:21, Stephen Farrell <stephen.farrell@cs.tcd.ie>; wrote:
> 
> 
> 
> On 11/07/17 22:10, Yoav Nir wrote:
>> If one of the parties to a conversation cooperates with the wiretap,
>> this isn’t an attack.
> Lemme try on this one again from a different angle.
> 
> In classic telephony wiretaps the carrier does the
> tap. There are similar situations with TLS...
> 
> In hosted platforms (e.g. wordpress.com and many
> others) where the senders and receivers (or publishers
> & readers) have read and write access via PHP code
> and not via a shell, and cannot therefore control web
> or TLS configuration, the platform would be doing a
> wiretap if it turned this on, whilst colluding with
> or being coerced by some other entity that collects
> and later decrypts the ciphertext and packets.
> 
> Are we agreed that that use-case is wiretapping via
> this mechanism?
> 
> There are many millions of people who use such
> constrained hosted environments.

Wordpress.com <http://wordpress.com/> is a party to the session. It has access to the plaintext and could deliver it to whatever third party whenever they wanted. This draft may be an optimization, but the plaintext was always theirs to give.

I might be deluding myself that I’m sending this email to you over TLS. In fact I’m only uploading it to gmail.com <http://gmail.com/> who will forward it to TCD’s server. Both servers will have access to the plaintext. Both servers can send it to a third party, or share session keys or share ECDHE private keys.

Whether one party to a conversation (phone or IP) has the right to share private contents with a third party is a legal matter that varies from country to country and from state to state. I only claim that this draft does not change the fact that is true for PFS suites in TLS 1.x and for all suites in TLS 1.3, that it’s impossible to decrypt a recorded session without cooperation from either party, and that cooperation has to start *before*  the session is recorded.

That is not the case for POTS wiretap or for the RSA key exchange.

Yoav