Re: [TLS] Sabotage?

Christopher Patton <cpatton@cloudflare.com> Fri, 25 September 2020 23:58 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16AC83A0BFE for <tls@ietfa.amsl.com>; Fri, 25 Sep 2020 16:58:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.793
X-Spam-Level:
X-Spam-Status: No, score=-3.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z_aTvNQ-6NUN for <tls@ietfa.amsl.com>; Fri, 25 Sep 2020 16:58:39 -0700 (PDT)
Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC5963A0BFD for <tls@ietf.org>; Fri, 25 Sep 2020 16:58:39 -0700 (PDT)
Received: by mail-qk1-x741.google.com with SMTP id o5so4681329qke.12 for <tls@ietf.org>; Fri, 25 Sep 2020 16:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5DU46+iV33lXFw1HTpsQ71vNKXpwOupO6aOO/1X+vFo=; b=qi7sjpLz3RjK7IflaAR+YX0VMyn3FHg/fMUpHjc9SShJiWX8VRIGvFNsQlwqIP14nb /6H7aE2N3WXXDlFwvyV3pzYMJujkr1NqD/uA7gn0E//oMrwCIwHxyDYRczIc3Jm2jYq/ itov/c4diGgxDJh16EdNUmMZ4qL4UCFQeGGhQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5DU46+iV33lXFw1HTpsQ71vNKXpwOupO6aOO/1X+vFo=; b=kDwF0Ee1rQF7cttH1OKDR42AybBGGIPwRnEDpHKVKaEfNFyAUaKSHoRpw4fKrO/nGv DA78bgdG4bWotlteMWIN0xpPZd0h7Ho62N2MeI8ELMj7jBcJomoan64oB2QiNeNaSJ3z f/sgLAL1AXOk7mCm78NMxKrbCThS3rQK5xaSendmRu1QQbIq2TY5quQbyai9LpKst7wb mUXIRHwtj1g0owlmHwjMXUxwxbsA7Wjm66cREKSSv3l8s2RD2PgLMbjOmgFSS3INYrXw vbhwTBqJkUWTaASOUxrZ1xh/CCy/ukSm3qMptucw74vxH7ng+6MiqPnX6VzfgyJVEFX4 +/1w==
X-Gm-Message-State: AOAM532MCRvZilqdztfVdmtYuxPnSeUpDmI/IyRBvtJmTjx9ihYKxpKR gOlVqrXfGtPzdwfpT4xR+QJgW7IfUlDHY4ZfHe6lEk3YSUXf4Kzz1og=
X-Google-Smtp-Source: ABdhPJxbGBFJgBHXKtsbxAR3qIoq+aAuLQkIFjFqFUHrtpJwlRHdkh1rNCur7qx8AxYL3YNZ0ua/TJWVjpffwySBU+A=
X-Received: by 2002:a37:545:: with SMTP id 66mr2497460qkf.338.1601078318579; Fri, 25 Sep 2020 16:58:38 -0700 (PDT)
MIME-Version: 1.0
References: <42a2462f-d872-1077-0070-5a4037fd9560@pobox.com> <4829C0D7-5C71-47CD-AEBE-F6FB4FAD870F@gmail.com>
In-Reply-To: <4829C0D7-5C71-47CD-AEBE-F6FB4FAD870F@gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Fri, 25 Sep 2020 16:58:27 -0700
Message-ID: <CAG2Zi22xzRjwpf6Dggp+LiddnvGBXYZw3E=RJB4bcLZqk8_1BA@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: "Michael D'Errico" <mike-list@pobox.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006fe74005b02c1887"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hosXUdliJMYfLItbtEIGpwMOj40>
Subject: Re: [TLS] Sabotage?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 23:58:42 -0000

Hi Mike,

TLS 1.3 represents the best intentions of a huge number of contributors.
Compared to earlier versions of TLS, 1.3 received much more scrutiny, from
academics and industry folks alike. It's much more secure than earlier
versions of the protocol as a result of this process. For more on this, I'd
invite you to listen to Thyla van der Merwe's talk at Real World Crypto
2018: https://www.youtube.com/watch?v=t4caEr9hh98. The process isn't
perfect ... there may be bugs that lurk in TLS today, and bugs are likely
to arise as the protocol evolves. But the process hasn't been "hijacked".

Would you care to elaborate on your concerns around tracking of users?

Best,
Chris P.

On Sat, Sep 12, 2020 at 2:05 PM Kathleen Moriarty <
kathleen.moriarty.ietf@gmail.com> wrote:

> Hi Mike,
>
> This is a pretty big topic that’s been explored quite a bit.  The long
> term impact of these changes could be very positive.  I just published a
> book on the topic of embracing E2E among other topics after exploring the
> impact on operators in RFC8404.  In other words, both directions were
> explored to reach a possible way forward with increased security and how to
> get the control/visibility in order to embrace these changes.
>
> I’m happy to talk more, but fear the length of a thread on this list and
> may not keep up with it given my current workload.
>
> Best regards,
> Kathleen
>
> Sent from my mobile device
>
> > On Sep 12, 2020, at 11:07 AM, Michael D'Errico <mike-list@pobox.com>
> wrote:
> >
> > Hi,
> >
> > I get a weird feeling that the internet is being hijacked and soon it
> will be impossible to reverse course.  I have not followed the development
> of TLS 1.3 but it seems very different from TLS 1.2. Also TLS 1.2 is very
> different from TLS 1.0/1.1 (which are being deprecated).  QUIC looked good
> at a glance, but it seems to rely on TLS to share key material, and also
> I'm more than a bit concerned about its capability to track users.
> >
> > Then there's Zoom video conferencing, where everybody working from home
> or in virtual school has an audio and video feed streaming to their
> servers.  Github is owned by Microsoft with some dire consequences.  Lots
> of large companies trying to be everything to everyone, and it turns out
> they're cruel.
> >
> > Anyone?
> >
> > Mike
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>