Re: [TLS] Industry Concerns about TLS 1.3

BITS Security <BITSSecurity@fsroundtable.org> Mon, 03 October 2016 21:21 UTC

Return-Path: <BITSSecurity@fsroundtable.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0E60129586 for <tls@ietfa.amsl.com>; Mon, 3 Oct 2016 14:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fsroundtable.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tJaDY15Vvszl for <tls@ietfa.amsl.com>; Mon, 3 Oct 2016 14:21:29 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0087.outbound.protection.outlook.com [104.47.40.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56ABE129592 for <tls@ietf.org>; Mon, 3 Oct 2016 14:21:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fsroundtable.onmicrosoft.com; s=selector1-fsroundtable-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2ASaWt/jBRssaQeiAvyg1k0r2p2tVVSv2EkMMJz5leQ=; b=G3LdbqqZbYe2Ly5G1oOHhoimm3yLJ/KfjC95G2O3yIlj0MwD77KS0cnmhFI0HGK1Sg5QsaVF35+Ro1lpGv/Hc2N7PPb21SUOlgvGOAMMHAu/t1o7POc2OEGSC+WhbH5tj/2d4xfhDPBhoecBRhiq9aqUs/K+GkaPW2B3pWSqH14=
Received: from DM5PR11MB1419.namprd11.prod.outlook.com (10.168.104.21) by DM5PR11MB1417.namprd11.prod.outlook.com (10.168.104.19) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.619.10; Mon, 3 Oct 2016 21:21:09 +0000
Received: from DM5PR11MB1419.namprd11.prod.outlook.com ([10.168.104.21]) by DM5PR11MB1419.namprd11.prod.outlook.com ([10.168.104.21]) with mapi id 15.01.0619.020; Mon, 3 Oct 2016 21:21:09 +0000
From: BITS Security <BITSSecurity@fsroundtable.org>
To: Tony Arcieri <bascule@gmail.com>
Thread-Topic: [TLS] Industry Concerns about TLS 1.3
Thread-Index: AdIU8WqWM9WBapZoQzyfqxiOaK25fQADrwVgABxJhIAADgIdgAAAS/+AAAFEjIAAAGtwAAAHxtLQAADiU4AAAeJj0AAFTeiAAI3SNcAANQvmgAEuwRLg
Date: Mon, 3 Oct 2016 21:21:08 +0000
Message-ID: <DM5PR11MB141951D29143A6785089FC5CF4C20@DM5PR11MB1419.namprd11.prod.outlook.com>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CO1PR07MB283F2C414B6478E993675DEC3C90@CO1PR07MB283.namprd07.prod.outlook.com> <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <DM5PR11MB141941D8E156245A1CF6C911F4C80@DM5PR11MB1419.namprd11.prod.outlook.com> <126ee1b6-fc88-bf4e-c366-60d59a9b3350@gmail.com> <DM5PR11MB1419F8F0D0C80835C1DB49F2F4C80@DM5PR11MB1419.namprd11.prod.outlook.com> <CAK6vND_S-YRfY5mpvt_v_srNhdvYJkM8pVV84bywr9zMaYoE6A@mail.gmail.com> <DM5PR11MB1419620B8BA15C7780F60669F4CD0@DM5PR11MB1419.namprd11.prod.outlook.com> <CAHOTMVLv7F3-ZuKM+35eL-tOtr8ee-1gqwYy+9zQu2GKrsXkjQ@mail.gmail.com>
In-Reply-To: <CAHOTMVLv7F3-ZuKM+35eL-tOtr8ee-1gqwYy+9zQu2GKrsXkjQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=BITSSecurity@fsroundtable.org;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [165.117.248.226]
x-ms-office365-filtering-correlation-id: e7e229c6-95bc-4ecc-f92a-08d3ebd33178
x-microsoft-exchange-diagnostics: 1; DM5PR11MB1417; 6:udcEp7PMGd4RWdmwVlTnOEmw8wIfbiTyq4pOsIB4bBm8JnffSZ0s58a6NFpr1SpTyLwCuKZpZFS6mT21b429uHEM+Zu48nVWdFSMS4kuUYZvJg25443ii5I2qU42ZdRiMbB7MzUBOyk5NvnKHuh9kuVD0lu3JQopM/dm4aHZ9zAcWSOJOPtAzrIzknBviqwhn/Gqy9bbS/0BocLRVGFfQPn+B+vjaSiP5V7Q0/FgZpEDlIfjgI8TvJzzQog2XNQn24r0Fn1er0Svdty5nk9u40ZJO1R0+k+UtlWAWxINLO/mNmWFha5rck5proKClVi/; 5:GSGUAjodioZB1ofvUgE4W1eyFqMz+qwSfkfqmWJy+KLLVVxG2EtgZ0g6T6ORCC6Fza1b8z5HtmvHCTUq1ibYZuDGLMIPAGumQICBVIBb9u9Yp+jvztOArVD2GF7GM+YcBqNWVqpz4aUfNa83nN8yaA==; 24:njUh0dSunggiZ5imPsZB1AOPi6zjkp268W7BpTuqWDtGZrGe/pBQwNaeaUaOGAG+60y8vrxXgJbC2xGU69IS1T4JfZtsKdn4i8UJBKXlauQ=; 7:bByLYT/1g97iMdiJflUGcUZ6LJcMwNNmhlN2NTdzOV5iXNq94W82yt3bBSZmecUcKgQkwkP87AZvS8LCDHTdtqWujJvAq4SV5xpJiQvH5At7k783kzBGO1F0yW0ks0baX5iNlen2DdCkUgoeID+xUw+XH1Hl5lcKNeGff4ZXgrvOL2AWBDZXdFU/C1kqqh5ZK1Qh63x9mUQ0ca1S/mKJEXOePTRsy/OcazvhiTVVkDcaEk1niujoLICFseSc+l44AVLTF+gBSBh8fnhNWEJ5S3msqQ2hivS55XB5E1j0OY+s+3o/jsPeV2G7LlyVluwc
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM5PR11MB1417;
x-microsoft-antispam-prvs: <DM5PR11MB141793F19A080B3A4482622CBDC20@DM5PR11MB1417.namprd11.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(20558992708506)(192374486261705)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6042046)(6043046); SRVR:DM5PR11MB1417; BCL:0; PCL:0; RULEID:; SRVR:DM5PR11MB1417;
x-forefront-prvs: 008421A8FF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(189002)(24454002)(55674003)(377454003)(122556002)(8936002)(1411001)(2950100002)(81166006)(5660300001)(11100500001)(6116002)(3660700001)(50986999)(586003)(3846002)(102836003)(74316002)(6916009)(76576001)(92566002)(8676002)(9686002)(68736007)(189998001)(33656002)(7696004)(110136003)(54356999)(3280700002)(76176999)(2906002)(7736002)(77096005)(97736004)(87936001)(19580395003)(19580405001)(66066001)(99286002)(101416001)(106356001)(93886004)(2900100001)(5002640100001)(81156014)(10400500002)(80792005)(4326007)(305945005)(7846002)(105586002)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1417; H:DM5PR11MB1419.namprd11.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: fsroundtable.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: fsroundtable.org
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Oct 2016 21:21:08.7958 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 841de5a0-73e8-4cbc-8142-f80b225ef22d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1417
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eZJyEz3TsVpXTrWI1jZeL6WuCj0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Oct 2016 21:21:32 -0000

> I work firsthand enforcing these requirements at a payments company. Again, I do not speak on behalf of my employer.   
> It wasn't until last year that PCI decided to deprecate TLS 1.0, at the time a 16 year old standard. I think your sense of emergency is highly over-exaggerated.   
> I find it highly unlikely that any group such as the PCI Council will begin mandating TLS 1.3 any time soon. I would go as far as to call your concerns "imaginary".  

If PCI has mandated upgrading TLS because of vulnerabilities, they are likely to do it again and in fact have provided strong hints to the market where they should be beyond the minimum requirement itself.  I don't see that the timing really matters because it isn't based on the age of the standard, it is based on the standard becoming outdated.  We're trying to get ahead of foreseeable problem some will have. 

Further, PCI does not require TLS encryption at all in a private data center, at least not technically.  However, in practice they strongly recommend segmenting the Cardholder Data Environment, which I suspect most financials have done, and many have used TLS as part of their strategy for segmentation (encrypted PCI traffic flowing through devices does not bring these devices into scope for audit).  So according to current practice, auditors are going to require certain levels of TLS in order for our segmenting strategies to work.

> If you are worried about such an eventuality, the IETF is the wrong place to complain. It is far, far too late in the TLS 1.3 process to be voicing these concerns. Where were you 2+ years ago when it was the appropriate time in the TLS development cycle to voice such concerns? I think the view of more "forward thinking" payments companies is TLS 1.3 has taken too long already, and they would like to start deploying it in its current form and would prefer unnecessary holdups/distractions which have already occurred throughout the process.

PCI requirement providing Intrusion Detection at the entrance to Cardholder Data Environments as well as at critical points inside the Cardholder Data Environment.  Intrusion Detection requires decryption of TLS.  For some large, complex organizations this can be a large number of physical inspection points, more than can be accommodated by MITM.  I understand this may not be a problem for your current environment but others do not have that luxury.

> That said, there is still plenty of time to ensure that groups like the PCI Council do not put in place requirements which would affect the centralized traffic-decrypting MitM-capability on your payments stack. Perhaps you should be voicing your concerns there? If you are worried about a TLS 1.3 mandate preventing your MitM capability, the onus is on you to convince the relevant payments standards bodies that mandating TLS 1.3 is a bad idea for the payments industry. I think those organizations are better poised to judge whether such an approach reflects on necessary requirements versus pervasive antipatterns among complacent companies unprepared for the future and ripe for a data breach.

We can implore PCI all we want, but if events overtake us, such as the introduction of new security risks, we have to be prepared for eventualities like TLS 1.3 being the mandate and must be prepared perform IDS/IPS routines at scale such an environment.

> In the meantime, you have disclosed a veritable treasure map to a traffic-decrypting single point of failure which ostensibly exists at all of the companies you represent which attackers could leverage to recover all payment credentials. That sounds like a huge security threat.
> Would you mind disclosing which companies you represent, so I can ensure for the safety of my own money that I do not use them?

I don't know how this listserv operates in practice but it is this type of sophistry that hard boils my eggs to put it politely.  Perhaps this is just the regular cost of participation but that would be unfortunate.  

If you look at the industry reports like the Verizon PCI Breach and Compliance Reports, private keys simply aren't being stolen.  Maybe there is an outlier or two but there certainly isn't a documented trend I can find.  If you have contravening information to provide I am all ears. 

- Andrew 



From: Tony Arcieri [mailto:bascule@gmail.com] 
Sent: Tuesday, September 27, 2016 4:17 PM
To: BITS Security <BITSSecurity@fsroundtable.org>;
Cc: Peter Bowen <pzbowen@gmail.com>;; tls@ietf.org
Subject: Re: [TLS] Industry Concerns about TLS 1.3

On Mon, Sep 26, 2016 at 12:01 PM, BITS Security <BITSSecurity@fsroundtable.org>; wrote:
The PCI DSS is already requiring TLS 1.2 for financial institutions that participate in the Payment Card Industry.  .BANK (exclusive top level banking domain) is also planning to require TLS 1.2.   We're anticipating that a regulatory body like these will require TLS 1.3 at some point in the future.  Financial institutions then have to comply if they want to continue to do business with the companies represented by the regulatory body (like large credit card companies in the case of PCI).

Hello again,

I work firsthand enforcing these requirements at a payments company. Again, I do not speak on behalf of my employer.

It wasn't until last year that PCI decided to deprecate TLS 1.0, at the time a 16 year old standard. I think your sense of emergency is highly over-exaggerated.

I find it highly unlikely that any group such as the PCI Council will begin mandating TLS 1.3 any time soon. I would go as far as to call your concerns "imaginary".

If you are worried about such an eventuality, the IETF is the wrong place to complain. It is far, far too late in the TLS 1.3 process to be voicing these concerns. Where were you 2+ years ago when it was the appropriate time in the TLS development cycle to voice such concerns? I think the view of more "forward thinking" payments companies is TLS 1.3 has taken too long already, and they would like to start deploying it in its current form and would prefer unnecessary holdups/distractions which have already occurred throughout the process.

That said, there is still plenty of time to ensure that groups like the PCI Council do not put in place requirements which would affect the centralized traffic-decrypting MitM-capability on your payments stack. Perhaps you should be voicing your concerns there? If you are worried about a TLS 1.3 mandate preventing your MitM capability, the onus is on you to convince the relevant payments standards bodies that mandating TLS 1.3 is a bad idea for the payments industry. I think those organizations are better poised to judge whether such an approach reflects on necessary requirements versus pervasive antipatterns among complacent companies unprepared for the future and ripe for a data breach.

In the meantime, you have disclosed a veritable treasure map to a traffic-decrypting single point of failure which ostensibly exists at all of the companies you represent which attackers could leverage to recover all payment credentials. That sounds like a huge security threat.

Would you mind disclosing which companies you represent, so I can ensure for the safety of my own money that I do not use them?

-- 
Tony Arcieri