Re: [TLS] Breaking into TLS to protect customers

Eric Mill <eric@konklone.com> Mon, 19 March 2018 21:59 UTC

Return-Path: <eric@konklone.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C558412D94D for <tls@ietfa.amsl.com>; Mon, 19 Mar 2018 14:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com header.b=BJEOdbE6; dkim=neutral reason="invalid (public key: not available)" header.d=konklone.com header.b=pyX1kRZc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Azhkzq7Xu40C for <tls@ietfa.amsl.com>; Mon, 19 Mar 2018 14:59:53 -0700 (PDT)
Received: from pb-smtp2.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA2CE12D779 for <tls@ietf.org>; Mon, 19 Mar 2018 14:59:52 -0700 (PDT)
Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 2E2C9D477E for <tls@ietf.org>; Mon, 19 Mar 2018 17:59:52 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=XEULnBobEsKNS5InsvgvdSkBp4w=; b=BJEOdb E6yc9RGCXibgTzEEm25d3gpJgIgp9TzpGoY6KR/o9w56dHzIqqX4d1fp2Gx21qcd pMfOFdyq3u+l8/9H9OCZhveXq4ENQ/wVqMl5Pd2+WkRgkiXDM+MAJnHPBf87evnt EDCElBdPNuUh18JWSL9+EeENUuGsGT+5WDgZw=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 2452BD477D for <tls@ietf.org>; Mon, 19 Mar 2018 17:59:52 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=konklone.com; h=mime-version:in-reply-to:references:from:date:message-id:subject:to:cc:content-type; s=2016-12.pbsmtp; bh=wRppkRojCVxXJtW+jKp9XRIjIoJ2iLqJpRyvO+xnUvU=; b=pyX1kRZc1aiURGZSRppF1hPOxS8L53UtWoNWTka6A4XUlwcYaGmCDVqzwOgzTFoDnMs93L3VvN+kh7yR0fY32WBb7xJjazhd/6SNZrvtOKuq2FfuCMOc4Ntd8nNskQ4w78X3cSXWgMfKm0scjVhFgxVK3Gei7ffPAPDgJFNVKHc=
Received: from mail-io0-f169.google.com (unknown [209.85.223.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id AB147D477B for <tls@ietf.org>; Mon, 19 Mar 2018 17:59:51 -0400 (EDT)
Received: by mail-io0-f169.google.com with SMTP id 141so2105216iou.12 for <tls@ietf.org>; Mon, 19 Mar 2018 14:59:51 -0700 (PDT)
X-Gm-Message-State: AElRT7Ec/U4c7tDjnswL5scVya3A2Jeevohjx2ppHv2W5rpxX21B1i7X p5xEeLfH3FaMDdZW3Kiq29VXmW+9U/yuLlL93ps=
X-Google-Smtp-Source: AG47ELuqPZ6PbQwQhboXzXRLncOD/G7kgFunGOpVsWl4F4d29ih3mMTlQfJqlOuYviqRR8diHVHo07r22fVr9tUij2s=
X-Received: by 10.107.142.204 with SMTP id q195mr13370019iod.262.1521496791118; Mon, 19 Mar 2018 14:59:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.189.130 with HTTP; Mon, 19 Mar 2018 14:59:10 -0700 (PDT)
In-Reply-To: <883E9392-9163-4523-AB95-35738E27CE5D@gmail.com>
References: <C43EDAAC-1CA1-4289-8659-B2E05985F79C@akamai.com> <E22E3F4C-2A44-4F17-9FEA-18760C36A1E8@gmail.com> <0bd7ed2d174a45d993026c8ed0443ae8@LXDOMEXC01.ssidom.com> <6888195D-1AD6-45B1-8F77-AFA088CFF78A@gmail.com> <87y3iottae.fsf@fifthhorseman.net> <883E9392-9163-4523-AB95-35738E27CE5D@gmail.com>
From: Eric Mill <eric@konklone.com>
Date: Mon, 19 Mar 2018 17:59:10 -0400
X-Gmail-Original-Message-ID: <CANBOYLX1K2+wiHYKpT5jx9uyr+RYPuRtNMrj2WSbpSy6Eyyumw@mail.gmail.com>
Message-ID: <CANBOYLX1K2+wiHYKpT5jx9uyr+RYPuRtNMrj2WSbpSy6Eyyumw@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c05a4e6c2fd1e0567cb13d6"
X-Pobox-Relay-ID: D979EBCC-2BC0-11E8-A68E-67830C78B957-82875391!pb-smtp2.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rxlv-s68F39LJo7zET6DS_8f2AM>
Subject: Re: [TLS] Breaking into TLS to protect customers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 21:59:55 -0000

On Mon, Mar 19, 2018 at 9:23 AM, Yoav Nir <ynir.ietf@gmail.com>; wrote:
[snip]

> > On 19 Mar 2018, at 7:32, Daniel Kahn Gillmor <dkg@fifthhorseman.net>;
> wrote:
> > So if this technology were deployed on a network where not all parties
> > are mutually trusting, it would offer network users a choice between
> > surveillance by the network on the one hand (opt-in) and censorship on
> > the other (opt-out and be blocked).  Is that right?
>
> I see it a little differently. Your computer or my computer, both of which
> are not configured to opt-in, should not be on such networks. In the
> corporate world, there could be a production network that enforces this and
> has access to corporate resources. There will usually also be a “guest”
> network with unfiltered connectivity, but no access to internal databases.
> This is where visitors go, but also where employee phones connect.
>
> Of course the government of Elbonia might require all networks to have
> this feature, and then you’ll have to decide if you want to configure your
> laptop to opt-in.  I would prefer to stay off-line while I’m in Elbonia in
> that case.
>

That seems like notably less of an option for the citizens of Elbonia.

-- Eric
-- 
konklone.com | @konklone <https://twitter.com/konklone>