IETF Logo Mail Archive

Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)

Carl Mehner <c@cem.me> Mon, 17 July 2017 13:15 UTC

Return-Path: <c@cem.me>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AB22131B74 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 06:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cem.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hvZAL-9ZcX6O for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 06:15:12 -0700 (PDT)
Received: from mail-ua0-x22c.google.com (mail-ua0-x22c.google.com [IPv6:2607:f8b0:400c:c08::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 733CD131B72 for <tls@ietf.org>; Mon, 17 Jul 2017 06:15:12 -0700 (PDT)
Received: by mail-ua0-x22c.google.com with SMTP id 64so16149772uae.2 for <tls@ietf.org>; Mon, 17 Jul 2017 06:15:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cem.me; s=cem; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=L1mV/MBh2JMCV12fAAp+QqMKIZMfClaJvR2hqVzLnDs=; b=Q212b+mvJl+AkyvJK/clkpc5eV6xMghMU3k3IgIcbNXgicBvxJcXH53OzvnH4opvoz +CyB0UwKAFnmNk6M5b6Bd9IVwyLo1gWDElq1L7tjU68//Pqds0QiqUWXwnu+XQQkjNdI RTJcvti8Vn5+uIr0wTNGYGxcsfhY8PritywSc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=L1mV/MBh2JMCV12fAAp+QqMKIZMfClaJvR2hqVzLnDs=; b=Q1qjRVNfoGfV5YSO/F1ytEhO8cp4ISVmbJgWYltEk6bNjM/TYhlwilgqJ0DakaJ8vA pjKdwXPtCcixHwzZHGnWbgpOpQZco9DaMkMPJCtIpO569h04d+KXtvQ53ZK/uGOQurRu J6cumR7/0ndsZWP7OVPXSy+pL0VqoGtWNddYwC2MKpYU/sswHuMFdBkj5W2d3b5XE2DH mky7+NTk2YEHlx7Q2vKlpI/V0bHqXFnMzCWDidamF6IKlJjWShqysB0iHAFaMzK+amdI knknD09b/Kvi/YYbgdPjKF7J3oviAGj+BFpMJcFEd9i9Ua7cqrpmUY97ipuya8VOVHBd mhTw==
X-Gm-Message-State: AIVw111oHtQe00z6gdzNsbWAssuwVcF81/c7Q/YuAEnFNn512SfV/TBM MqEd4CwhKU1d8FH0oniyVvNh1jhe7sdDjzA=
X-Received: by 10.31.217.130 with SMTP id q124mr10623946vkg.130.1500297311389; Mon, 17 Jul 2017 06:15:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.37.174 with HTTP; Mon, 17 Jul 2017 06:15:10 -0700 (PDT)
X-Originating-IP: [172.8.175.41]
In-Reply-To: <9C81BE7B-7C21-4504-B60D-96BA95C3D2FD@arbor.net>
References: <CABkgnnU8ho7OZpeF=BfEZWYkt1=3ULjny8hcwvp3nnaCBtbbhQ@mail.gmail.com> <2A9492F7-B5C5-49E5-A663-8255C968978D@arbor.net> <CABkgnnX7w0+iH=uV7LRKnsVokVWpCrF1ZpTNhSXsnZaStJw2cQ@mail.gmail.com> <FDDB46BC-876C-49FC-9DAE-05C61BB5EFC9@vigilsec.com> <9C81BE7B-7C21-4504-B60D-96BA95C3D2FD@arbor.net>
From: Carl Mehner <c@cem.me>
Date: Mon, 17 Jul 2017 08:15:10 -0500
Message-ID: <CAEa9xj55jzch-v0mysbRSryNM0Y7Bdtevmrc3+FVxMO8EP5zWA@mail.gmail.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_AGVNVmqufxdJ_p7s15xaCr2p9o>
Subject: Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 13:15:14 -0000

On Mon, Jul 17, 2017 at 8:02 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
>
>
> On Jul 17, 2017, at 14:14, Russ Housley <housley@vigilsec.com> wrote:
>
> I think that the IDS is trying to detect the an infected server trying to
> migrate to another server.  Malware often includes a series of exploits that
> are tried in sequence to infect a neighbor, and this activity provides a
> detectable signature.
>
>
> Correct. And not just between servers.

I think the point that Martin was making (and if he wasn't, I will):
that malware is becoming increasingly aware that IDS/IPS and TLS proxy
boxes are looking into TLS traffic, and they're beginning to encrypt
traffic inside the TLS tunnel. That pushes the problem back into the
application layer, and on the endpoint to be dealt with by antivirus
tools.

v2.23.0 | Report a Bug | By Email