Re: [TLS] Ideas for TLS 1.3: Server key continuity and certificate reporting
Kai Engert <kaie@kuix.de> Mon, 13 January 2014 15:56 UTC
Return-Path: <kaie@kuix.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56DA41AE098 for <tls@ietfa.amsl.com>; Mon, 13 Jan 2014 07:56:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RI94WDFFJ07S for <tls@ietfa.amsl.com>; Mon, 13 Jan 2014 07:56:37 -0800 (PST)
Received: from s15531995.onlinehome-server.info (s15531995.onlinehome-server.info [IPv6:2001:8d8:910:de00::2f:a36d]) by ietfa.amsl.com (Postfix) with ESMTP id 64D361ADF53 for <tls@ietf.org>; Mon, 13 Jan 2014 07:56:36 -0800 (PST)
Received: from [192.168.2.253] (p4FF35775.dip0.t-ipconnect.de [79.243.87.117]) by s15531995.onlinehome-server.info (Postfix) with ESMTPSA id 8CC4642980EB for <tls@ietf.org>; Mon, 13 Jan 2014 16:56:25 +0100 (CET)
Message-ID: <1389628585.16063.34.camel@lapkaie>
From: Kai Engert <kaie@kuix.de>
To: tls <tls@ietf.org>
Date: Mon, 13 Jan 2014 16:56:25 +0100
In-Reply-To: <1389627894.16063.26.camel@lapkaie>
References: <1389371947.30279.56.camel@lapkaie> <52D047C3.20208@akr.io> <1389392562.13026.111.camel@lapkaie> <1389627894.16063.26.camel@lapkaie>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.8.5 (3.8.5-2.fc19)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Ideas for TLS 1.3: Server key continuity and certificate reporting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 15:56:39 -0000
On Mo, 2014-01-13 at 16:44 +0100, Kai Engert wrote: > I believe your point is, it doesn't matter which pysical connectivity > option a client uses to connect to the Internet - because the adversary > doesn't need to manipulate connections close to the victim, but rather > could enforce that MITM remains always active for a particular client. > > I agree, for state level attackers who can manipulate the Internet > backbone, this could block the ability of a victim to report a falsely > issued certificate to the real server. > > Question is, is the quantum server really sufficiently reliable enough > to be active at all times, no expections? For each victim, a onetime > glitch or downtime would be sufficient to get the false certificate > reported. Replying to myself, a few additional comments on that: If a powerful adversary used QUANTUM* to implement MITM widely, for many clients, using a falsely issued certificate, the adversary risks detection. For example, I have proposed the http://detector.io project, where I encourage all operators of TLS servers to monitor their own server for an unexpected certificate, by connecting from elsewhere, for example, by making use of the capabilities of the existing Tor network. The ideas presented in this particular mailing list thread focus on the idea that most MITM attacks wouldn't be executed broadly, because of the high risk of detecting the falsely issued certificate. Rather, I focus on targetted attacks, which involve only clients of a very small subset of the network. When targetting only a small subset of a network with MTIM, I think it's likely that eventually the client will be able to connect around that network, either caused by a roaming client, or by a temporary downtime of the MITM attack, which would be sufficient for reporting the false certificate as I'm proposing here. Kai
- [TLS] Ideas for TLS 1.3: Server key continuity an… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Alyssa Rowan
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Paul Hoffman
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Trevor Perrin
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Daniel Kahn Gillmor
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Ralph Holz
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Paul Hoffman
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Watson Ladd
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Paul Hoffman
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Trevor Perrin
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Paul Hoffman
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Ryan Sleevi