Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)

Carl Wallace <carl@redhoundsoftware.com> Sat, 24 March 2018 16:47 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A759412D7E6 for <tls@ietfa.amsl.com>; Sat, 24 Mar 2018 09:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIMo2bahZfDa for <tls@ietfa.amsl.com>; Sat, 24 Mar 2018 09:47:01 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12B7112D7E5 for <tls@ietf.org>; Sat, 24 Mar 2018 09:47:01 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id c20so4943405ywa.2 for <tls@ietf.org>; Sat, 24 Mar 2018 09:47:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=sI37fGuvjNYaIn1oIEMschypKIfHWLmxy2T/9M/H/zU=; b=f0o4y40TTInBcySibMAhoESB+o3CoxWqr4quhWMU7JnZ6d031ZLYEMzuNVc64NRqG7 rnxuyjAhUXK+Bttz/9C3JiY+Gu+CULk6Nkn34zeEafz1gajv+T+f0341ZdCO394wdhvW F79PAZPkfNIIAGkiB3SbaFfCoA+KKlVQ90m+M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=sI37fGuvjNYaIn1oIEMschypKIfHWLmxy2T/9M/H/zU=; b=sIEPdbsXOrbbMhu0jRhA1qtIXJjU8i+WyX47Ng5O/kZlThUHJH+Vw+BgyexvL+7Ody herj13+mzF3VSwNWnBu8/HBjpp5AMaSkIGI1U2vnXyxHxrCfckNs5qndsDGt6HTAMFu5 7qLnD3tosQRnx5x34yMahdj2QLo9IpUcHxHn4n9Njoeben53dnyNW1TOTaD4QHJKwadS yCtk911PogWqGGzygqdi+YtWsUORHKuuiLQYkQRIVFrc8bcpXypEf1Yayc+UEXcsQT3q UyGcpnHheO6TL84yzm8boiNYhEOrLZ6bPW2dF2HSPcqNk0is5Gl7CMEKUv1a6cjJApZ4 NqCA==
X-Gm-Message-State: AElRT7G4AQaimFqZ+o8jpw6tyJVuVQ6DCFPShlKjzykZTS0OE/kXHcgl bINDm9E6N8TcEiNEoSTy2/8GWg==
X-Google-Smtp-Source: AG47ELs43jXdlov6QzAhBzAk5ZcqAQlnKEI7mVXVVxjgMW8tzMySId86Dm0OHRESWN/ZyAAliQPMjg==
X-Received: by 10.13.211.195 with SMTP id v186mr19883981ywd.163.1521910020073; Sat, 24 Mar 2018 09:47:00 -0700 (PDT)
Received: from [192.168.0.5] (cpe-71-76-32-13.sc.res.rr.com. [71.76.32.13]) by smtp.googlemail.com with ESMTPSA id c128sm4392677ywb.0.2018.03.24.09.46.57 (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 24 Mar 2018 09:46:59 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.7.6.170621
Date: Sat, 24 Mar 2018 12:46:52 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Tony Arcieri <bascule@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Message-ID: <D6DBF8C8.B3AB9%carl@redhoundsoftware.com>
Thread-Topic: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
References: <810C31990B57ED40B2062BA10D43FBF501C45B43@XMB116CNC.rim.net> <CAMqknA4rE_R08_2abVYP2ii5CFn_PuC22+tHxi0hxt=OEDp0NQ@mail.gmail.com> <CAHOTMVJtn0x6xyAoePvfB9JNr5mAeD95DUsqYX3yO7vqrpZ=zQ@mail.gmail.com>
In-Reply-To: <CAHOTMVJtn0x6xyAoePvfB9JNr5mAeD95DUsqYX3yO7vqrpZ=zQ@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3604740419_2159102"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/k83vQ3oBjmaKtzOW24h7KP6ejfw>
Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 16:47:03 -0000


From:  TLS <tls-bounces@ietf.org>; on behalf of Tony Arcieri
<bascule@gmail.com>;
Date:  Saturday, March 24, 2018 at 11:31 AM
Subject:  Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do
it)

> On Fri, Mar 23, 2018 at 11:26 PM, Alex C <immibis@gmail.com>; wrote:
>> As I understand it (poorly!) the idea is exactly to have a single system on
>> the network that monitors all traffic in cleartext.
> 
> And more specifically: to be able to *passively* intercept traffic and allow
> it to be decrypted by a central system. "Visibility" with an active MitM is a
> solved problem: have the MitM appliance double as an on-the-fly CA and install
> its root certificate in the trust stores of all the clients you intend to
> MitM.

It's not a solved problem for mutual authentication scenarios even if you
drop the passive requirement (as should be done in such cases anyway).