IETF Logo Mail Archive

Re: [TLS] datacenter TLS decryption as a three-party protocol

Christian Huitema <huitema@huitema.net> Sun, 23 July 2017 21:37 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F48F12ECCE for <tls@ietfa.amsl.com>; Sun, 23 Jul 2017 14:37:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id og6-D39Fetwz for <tls@ietfa.amsl.com>; Sun, 23 Jul 2017 14:37:53 -0700 (PDT)
Received: from mx36-42.antispamcloud.com (mx36-42.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61062127867 for <tls@ietf.org>; Sun, 23 Jul 2017 14:37:53 -0700 (PDT)
Received: from xsmtp03.mail2web.com ([168.144.250.223]) by mx36.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1dZOZT-0005aN-Sn for tls@ietf.org; Sun, 23 Jul 2017 23:37:52 +0200
Received: from [10.5.2.12] (helo=xmail02.myhosting.com) by xsmtp03.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1dZOZS-0004Sw-7j for tls@ietf.org; Sun, 23 Jul 2017 17:37:51 -0400
Received: (qmail 4491 invoked from network); 23 Jul 2017 21:37:49 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.66]) (envelope-sender <huitema@huitema.net>) by xmail02.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 23 Jul 2017 21:37:48 -0000
To: tls@ietf.org
References: <CAAF6GDeFuRy0DN6w3FwmR_nh1G=YBi4+qiEcw0MfSRj4SUCbZQ@mail.gmail.com> <20170720200114.AA2F91A6CB@ld9781.wdf.sap.corp> <06AE85BC-87AD-4CA5-8408-44F670358701@ll.mit.edu> <20170720203238.e66zurx5yn2jja3a@LK-Perkele-VII> <17109486-336E-44C0-B9FC-D65EE14310B5@ll.mit.edu> <20170723070240.x7kmynzmu4jqco5t@LK-Perkele-VII> <C0772D29-CB26-418F-981B-BC2E2435E655@ll.mit.edu> <35FD3356-8300-405A-B8D8-FC2574DB9A56@fugue.com> <CE89217F-972F-4F37-B8BA-925AE1FE8D68@ll.mit.edu> <44105D6B-4CE0-4C3C-ACFA-30EF1D8AA8F7@fugue.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <318b4504-08b3-e2db-026b-a79ea4d1aec2@huitema.net>
Date: Sun, 23 Jul 2017 14:37:46 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <44105D6B-4CE0-4C3C-ACFA-30EF1D8AA8F7@fugue.com>
Content-Type: multipart/alternative; boundary="------------778AB9981D25B4F2AA589C43"
X-Originating-IP: 168.144.250.223
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.17)
X-Recommended-Action: accept
X-Filter-ID: PqwsvolAWURa0gwxuN3S5YEa3T7JuZT23fGO2rGt3ZgTCGhDnudOJ80D1c8rffxrus7BTv7Ss8cH d2IQQuvdbtM+m4WpRRDP6YzwkAPgQJbFuHJrd6q7ImwszS9kW0E9ND46yZLY9QyX+cRXmooQ3hum JwiT+2brWmQlzkLIcXivpIH4ag6BM/+u9ym+BA23mh8X3andYQdWZYMgV8Y6GtdeLtSl0HbbXg+s ehKFyiAEGtIdfkvDNWcf2iA7z8p0YOEkjsX7F8KmpUaZQHV+Sf+k51CV8HOoCp+bWB2rXxO2G5Pj 7iQJEmtNUzH3idZ6uMF2OhyCCCV83x+RZrKIj0QqMGQOSwmEPwP4wBzM77N8GvkYGGDFjg9NrmGY yNnXsSjdYwfRhjHqxQXDsBKLpGhWDl86FRLsucalajANCRP6lO4FGen962xgCFRckncKfg1XSK9P 1z/R6plfrFWGyc3azBLlqnENrF/E3Tt6iEPeNHk15VolAGHS5rCXQKDym+Gab6cuAPzLi/SdAxlO dgkraHgbbAuZgv0Q6mJ3vUcipz1IT62ZEk6+MmovaufbiR3bHfnMCIEU+nrglojKwMr3vOY18GvB wSXAfWcj236N2IVdgBdepwvDBBcDOz9LNdSMuNhZC3X/nGdDKYyg+1Fotn1TGspRGWfHjmaruO0b XpkevaElTi+sCWwmqxHi+BUHXGjp0J8FpT+J6AFTxh8XBHmF2hIeyKfJwZiM12egGl1aPxAtivmw 3hSDPS17fNhfekBTUX9xNtWKgIxLAi2wErj03uQL9OSP3oAqkbgmxYRXOZgzdAQCjuYKoBVKyLoA 6S28+bT6JBt5hIe9NsT+zJGLhBRfUiVo7tDfe93qlFit1PvkPF7Ua1AOSWcb0i13zjCiwPgdt77s k1WBMw==
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rzCaxxV5S1OXnxj8g4_dH1zg8bQ>
Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jul 2017 21:37:55 -0000


On 7/23/2017 12:37 PM, Ted Lemon wrote:
> On Jul 23, 2017, at 12:05 PM, Blumenthal, Uri - 0553 - MITLL
> <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote:
>> I think there's no way the connection can be established if the third
>> party in control of the network does not allow that. 
>
> This is why it’s hard to reason well about this stuff—we tend to get
> the threat models wrong.   The attack that negotiating enables is not
> that a third party can block all connections. They can always block
> /all/ connections.
>
> What the attack enables is blocking only those connections that don’t
> negotiate a downgrade. So if you negotiate a downgrade, you get to
> look at your content, but if you don’t negotiate the downgrade, you
> don’t. This allows a MiTM to coerce end users into negotiating downgrades.

Speaking of threat model, one of the main threats is the "Lavabit" case:
a server is asked to somehow implement a backdoor so existing clients.
In that case, it is very useful for clients to detect that something has
changed. They can move away and use another server.

We are also concerned with the "open library" case, in which the
backdoor ends up being implemented by default in popular libraries. If
that happens, the backdoor can be instantiated via a simple
configuration parameter, and coercion becomes that much easier.
Publishing an RFC describing the back door would of course increase the
risk that the corresponding code ends in the common libraries, and that
is reason enough to not publish such a text.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email