IETF Logo Mail Archive

Re: [TLS] Breaking into TLS to protect customers

Yoav Nir <ynir.ietf@gmail.com> Thu, 15 March 2018 04:57 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E28BF1201F2 for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 21:57:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAUELOW20vhc for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 21:57:52 -0700 (PDT)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44DE51200A0 for <tls@ietf.org>; Wed, 14 Mar 2018 21:57:52 -0700 (PDT)
Received: by mail-wm0-x22b.google.com with SMTP id i194so7930478wmg.1 for <tls@ietf.org>; Wed, 14 Mar 2018 21:57:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=9BbZkoKgEcUYZnLRYO5PiQE4xx1ioDbeskUlc+Mgk9A=; b=nafhSJvAjW7wiIkFcRE0yJ3J9rJA8+vseQBbfHtqlVoF6ctLT2yii0wAXaNn0499tl Fwdv5oduAc7dz64y8RqMBJPvQKP+Kr018l+TEAucTddpM0O8FiM9mLnM8cu1YoaDf9Bc UeGBfT18itu0N8Zi00VfIXyFGOp8WfkfWkt2WpG6b+GJJ2zK+D8W7yQmG40csBO4Qy25 KaejxpT9aeDcsP1l6sJgfHAMTq1RgbqmgJRCd34iJfGapF6wfm7iahRB/6WspJgYPo1K wdCoDfexCU2f4XEq00/qs3EDu1OoClWFrkpshLfrkbUiJcjONnzsinjMLODxdHx4i/IB bQxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=9BbZkoKgEcUYZnLRYO5PiQE4xx1ioDbeskUlc+Mgk9A=; b=Ndozb4rfUhSLfmedIzQQaAQWtURvQNH4AJdpHBT/j9/ex/fwsJ+d1J2xtdiWTnpp4M jNKPfy3bpmS9H7/F9ZiWXx4xgiEnkLxrrvZqkoNx/hca3AZVCnl3kQQm0IvUETD4JdVJ OiSGnHKNXXdwPzcntA4l2iXmTZFOVAl3uenHvyLYKqknE/A/Gq1SPtXtnBOnLNTM3u1E qSmXg03vIc645BVetHztHcub14qidftU6ZRkKIVMo5mjEybnD/Sz/Eb7uoUwwe9MJnyD x4rZhEp7CkR8hkZt8Y4xrJddlzUQN+f4YYPJMa+0JSIoveLs3I3cAkGkBau0XBhfXl/g qktg==
X-Gm-Message-State: AElRT7FFwmV0sUv3RQGiGFglK9R+qANDgaI8E7aWFzCxHKhS+1zjzLOn 5lf6uTMwfM+XKO8+KMBeniU=
X-Google-Smtp-Source: AG47ELvtk+AQL9OUiCs7fdFZYJT2qxQTaBp7tOEnCwCdc0lQeUYKstmXXubQC/FNBJr/4/X74tJEBQ==
X-Received: by 10.80.135.139 with SMTP id a11mr1056177eda.82.1521089870801; Wed, 14 Mar 2018 21:57:50 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id j92sm1287462edd.81.2018.03.14.21.57.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Mar 2018 21:57:50 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <E22E3F4C-2A44-4F17-9FEA-18760C36A1E8@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_11CEA314-FCE8-44FD-AF74-AC0AEBA2C616"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Thu, 15 Mar 2018 06:57:46 +0200
In-Reply-To: <C43EDAAC-1CA1-4289-8659-B2E05985F79C@akamai.com>
Cc: "tls@ietf.org" <tls@ietf.org>
To: Rich Salz <rsalz@akamai.com>
References: <C43EDAAC-1CA1-4289-8659-B2E05985F79C@akamai.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gkWVqnmUzDRjY76yIMvwklTxRRc>
Subject: Re: [TLS] Breaking into TLS to protect customers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 04:57:55 -0000

Hi, Rich.

You are conflating customers and users. The customer that may be protected by breaking TLS in a bank’s server farm is the bank itself. An IPS system with visibility into the traffic may detect bots that are there to steal data or mine cryptocurrencies or whatever.

If the customers of the bank are protected, it’s a happy side effect (collateral benefit?). The object is to protect the system integrity and the data.

Yoav

> On 15 Mar 2018, at 5:29, Salz, Rich <rsalz@akamai.com> wrote:
> 
> Some on this list have said that they need to break into TLS in order to protect customers.
> 
> The thing customers seem to need the most protection is having their personal data stolen.  It seems to happen with amazing and disappointing regularity on astounding scales.  Some examples include
> retailer Target, presumably subject to PCI-DSS rules
> Anthem health insurance, presumably a regulated industry
> Equifax, a financial-business organization (but apparently not regulated)
> Yahoo, a company created on and by and for the Internet (one would think they know better)
> We could, of course, go on and on and on.
> 
> NONE of those organizations are using TLS 1.3.
> 
> So what kind of “protect the customer” requires breaking TLS?  And what benefits and increased protection will customers see?
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>

v2.23.0 | Report a Bug | By Email