IETF Logo Mail Archive

Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 17 July 2017 18:35 UTC

Return-Path: <prvs=837199222b=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B55F12ECB7 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 11:35:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUv4xqRDhTAc for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 11:35:22 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 77B67131671 for <tls@ietf.org>; Mon, 17 Jul 2017 11:35:22 -0700 (PDT)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id v6HIZLIw031075 for <tls@ietf.org>; Mon, 17 Jul 2017 14:35:21 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
Thread-Index: AQHS/vR5lF141oQzb0GeHnUlNx5L9aJYMXgAgAANgICAAAOcAIAABaaAgAABXQCAAAPqgIAAAY+AgAADO4D//8BIAIAAUI+A///jCgCAAE8pAP//w6OA
Date: Mon, 17 Jul 2017 18:35:21 +0000
Message-ID: <0393B6D5-BE7F-41A2-BC8F-43D330BD499D@ll.mit.edu>
References: <CABkgnnU8ho7OZpeF=BfEZWYkt1=3ULjny8hcwvp3nnaCBtbbhQ@mail.gmail.com> <2A9492F7-B5C5-49E5-A663-8255C968978D@arbor.net> <CABkgnnX7w0+iH=uV7LRKnsVokVWpCrF1ZpTNhSXsnZaStJw2cQ@mail.gmail.com> <FDDB46BC-876C-49FC-9DAE-05C61BB5EFC9@vigilsec.com> <9C81BE7B-7C21-4504-B60D-96BA95C3D2FD@arbor.net> <CAEa9xj55jzch-v0mysbRSryNM0Y7Bdtevmrc3+FVxMO8EP5zWA@mail.gmail.com> <CC3CE5F8-C8C2-4A70-829D-483E26D20733@arbor.net> <CAEa9xj5eR6b_+CsSDArMWWr-u8hx5B81kDVEMEX8sgfUeMUS8g@mail.gmail.com> <C3B01C35-E3A2-4A8B-9DD7-D6E4153ED39F@arbor.net> <CAEa9xj6p0y9ZzxLJvtv9GDzzfs5s13nnLqm=4_fNDPGV+=Od8Q@mail.gmail.com> <BE4E8E4A-51FC-4211-A16F-EBA8B3F01757@arbor.net> <66C1C32C-53C2-43A4-BCB0-96DDC26A1F58@ll.mit.edu> <69018030-3157-42D4-A573-0E39E46EFAA9@arbor.net> <31C01911-5E2B-4812-B4B5-334C7D212F22@ll.mit.edu> <7995AB85-5144-4ABE-993D-EB1415E7E2DD@arbor.net>
In-Reply-To: <7995AB85-5144-4ABE-993D-EB1415E7E2DD@arbor.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.24.0.170702
x-originating-ip: [172.26.150.37]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3583146919_391278835"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-17_15:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707170296
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/a15nXUCJu_E6ugczJUOTlcLVIqY>
Subject: Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 18:35:25 -0000

But it's also important for understand that security is additive in nature,

not all the criminals are bright or sophisticated, & so the emergence of a

few smarter ones doesn't make those less so disappear. 

 

:-) It’s the Law Enforcement job to make the dumber ones disappear. 

 

The question is whether the risk all of the legit users would be subjected to is justified by the preserved ability to detect the dumber criminals using an outdated method, instead of evolving with times.

 

In reality, most of them are awful blunderers - they succeed because the defenders

are worse blunderers.  Consequently, there hasn't been an alarming (heh) dropoff in

the need for TLS visibility on the intranet - quite the opposite. 

 

Let’s exchange our criminals – I’d much rather deal with yours. ;-)

 

My point though is – this dropoff in visibility *will* come, like it or not. 

 

 

And the need for it isn't limited to the security space.  It'd extremely important for troubleshooting, as well. 

 

Based on my experience troubleshooting – I disagree. If I control at least one end of the communications – I have all the visibility into the traffic that I need.

v2.23.0 | Report a Bug | By Email