IETF Logo Mail Archive

Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)

Carl Mehner <c@cem.me> Mon, 17 July 2017 14:52 UTC

Return-Path: <c@cem.me>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 997E0131C3C for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 07:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cem.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uiDzGrD34FWt for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 07:52:31 -0700 (PDT)
Received: from mail-ua0-x244.google.com (mail-ua0-x244.google.com [IPv6:2607:f8b0:400c:c08::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5702131C34 for <tls@ietf.org>; Mon, 17 Jul 2017 07:52:31 -0700 (PDT)
Received: by mail-ua0-x244.google.com with SMTP id z22so10358177uah.0 for <tls@ietf.org>; Mon, 17 Jul 2017 07:52:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cem.me; s=cem; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=wQzgErvPN/jNHdqYLPfAUfQ6ZIIhtajbW9qpEAjKpeM=; b=UHTyGG5ya65/E1F8Y75WVwvEcjUMBsO8nO/krP1K3/Yrw0qliBF/rFQPVA3SyGz73y K8pSz1osEYqa0Bpmd5B9tEtLb9z6Fa5dZhrkaUgwhp9d+5d3t6W6LzSYpknwhRQRd/0T 7bhMziJc4T52hvosClrh7uFsW9GeQM6LOfs+Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=wQzgErvPN/jNHdqYLPfAUfQ6ZIIhtajbW9qpEAjKpeM=; b=C5A6hj2P75ETLw4Jmg6yMVa1f/qQ7it1pNRuHS2RN88g69wUny9LKvvR2MyZOtxko+ PRYLvoHQdcscEzeHUiFOkoCc8tdk4X4gChczJNdfUvChIbnlPnPErZwiefOy6/WUC085 m9ged08L7xqBqTEEESy/4MZOatIC79zNXjtzO4sY7A7xS5YQ8bL+KDK55R2nZMW/D0a6 efdMupgFTcUR4HCNFKIbklFbSWWgDAMSlCr8SKDvflaOgDLIxNaX9fBIFt4xx9du13nl e4VECGOUDIc4WLkDnQTKDqSPff3LBFIC3wF17GJ2FOzuQPEaW1waKNVF7jfjLHriBerE /PvQ==
X-Gm-Message-State: AIVw113Dr6oGpcwGTZZagKBYOqAzlS+lHqeX9lRaJzbFtzVH6NVAbBtg imt6G4A2PvZg7uGIQJw5KjI1IXIwRrgv
X-Received: by 10.159.60.75 with SMTP id w11mr13262903uah.143.1500303150498; Mon, 17 Jul 2017 07:52:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.37.174 with HTTP; Mon, 17 Jul 2017 07:52:29 -0700 (PDT)
X-Originating-IP: [172.8.175.41]
In-Reply-To: <BE4E8E4A-51FC-4211-A16F-EBA8B3F01757@arbor.net>
References: <CABkgnnU8ho7OZpeF=BfEZWYkt1=3ULjny8hcwvp3nnaCBtbbhQ@mail.gmail.com> <2A9492F7-B5C5-49E5-A663-8255C968978D@arbor.net> <CABkgnnX7w0+iH=uV7LRKnsVokVWpCrF1ZpTNhSXsnZaStJw2cQ@mail.gmail.com> <FDDB46BC-876C-49FC-9DAE-05C61BB5EFC9@vigilsec.com> <9C81BE7B-7C21-4504-B60D-96BA95C3D2FD@arbor.net> <CAEa9xj55jzch-v0mysbRSryNM0Y7Bdtevmrc3+FVxMO8EP5zWA@mail.gmail.com> <CC3CE5F8-C8C2-4A70-829D-483E26D20733@arbor.net> <CAEa9xj5eR6b_+CsSDArMWWr-u8hx5B81kDVEMEX8sgfUeMUS8g@mail.gmail.com> <C3B01C35-E3A2-4A8B-9DD7-D6E4153ED39F@arbor.net> <CAEa9xj6p0y9ZzxLJvtv9GDzzfs5s13nnLqm=4_fNDPGV+=Od8Q@mail.gmail.com> <BE4E8E4A-51FC-4211-A16F-EBA8B3F01757@arbor.net>
From: Carl Mehner <c@cem.me>
Date: Mon, 17 Jul 2017 09:52:29 -0500
Message-ID: <CAEa9xj7sVcGAR03f3pWsK7giFqmu7GRHN4gqh9Nb6uEAOM88Yw@mail.gmail.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_H4KfbFCUS7MnndVo7fmgbfrbNc>
Subject: Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 14:52:34 -0000

On Mon, Jul 17, 2017 at 9:11 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
>
>
> On Jul 17, 2017, at 15:59, Carl Mehner <c@cem.me> wrote:
>
> the only way that this draft would help you
> with malware analyzing)
>
>
> This statement is factually incorrect.  It’s not the only way, as I've just
> explained.

Ok, sure, sorry for being imprecise. it's the only way that would help
you if you were trying to use this draft. If you're not using this
draft, then why are we talking about malware here? Do you have an
example of where malware would be on your intranet where using this
draft would help you?

> Again, why are you trying to pretend that the use of this technique is not
> prevalent nor important in the security context, when it is in fact quite
> prevalent & important, & has been for many years?

First, I was not the person you asked this to the first time, unless
you were asking the list, if you were I think there has been a
considerable effort to try and understand. Second, now that you have
asked me... I have, that's why i'm asking questions, (that you haven't
answered) Thirdly, just because something is prevalent and important
and has been used for many years, doesn't mean that it should
continue.

Looking at HTTP-only traffic for debugging was prevalent and sometimes
was even considered "OK" because, "we're in an intranet, not going
over the Internet", now we understand that it is not longer acceptable
to use plaintext traffic. Because of that tools changed, network
designs changed. A similar thing is happening now. Non-FS was ok,
because it's "intranet", now, it is not tools and designs will have to
change. (And since we are throwing around PCI hypotheticals.. maybe
PCI will mandate forward secrecy without static keys because it's more
secure.. we just don't know.)
The bar, as Steven pointed out earlier, is for you to prove. You
should be proving that it is necessary, not just that it is prevalent
or easier.

> And why are you unable to understand that that in the case of an additional
> layer of attacker-generated crypto nestled within a TLS tunnel, as you
> posited, that the ability to simply detect the presence of such an
> additional layer of unexpected crypto, even without the ability to
> immediately decrypt it, has substantial value in a security context?

I didn't say that I didn't understand that knowing nested crypto was
occurring was beneficial. I do. I agree it is beneficial. I'm trying
to get you to explain how this draft helps with that.

> Are you unfamiliar with the concept of traffic analysis, in the crypto sense
> of the term?
I recently analyzed some malware that was sending encrypted traffic
back and forth nested inside TLS. But we didn't need to open up the
TLS stream to know that it was malware. Also, this draft did not apply
to that strain of malware, it wouldn't have even helped determine that
the crypto was doubled.

v2.23.0 | Report a Bug | By Email