Re: [TLS] Industry Concerns about TLS 1.3

BITS Security <> Fri, 23 September 2016 21:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A299B12B56F for <>; Fri, 23 Sep 2016 14:24:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i0XHpfmLjOvr for <>; Fri, 23 Sep 2016 14:24:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8FAB612B464 for <>; Fri, 23 Sep 2016 14:24:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-fsroundtable-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hWLhDzDeihPY0b6+dVHU2k8GwgLrTpVc4fvBF2izFII=; b=BGmaddrWJL0YOLQcAbkBDbQSPb+Gn6Xfie+UaH7e6aHveUv7dy3lRXhY02LK9uVayLBTpT9xj3tdMKOELE08bfYDxqAa2jj/1ttqdevuv/8D67S0TbpJqGqhvt2RlKF6vxkR9oOvXTyPY+RHOKbMagWJKjH3fghaJT7RVPfx0SA=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.619.10; Fri, 23 Sep 2016 21:24:42 +0000
Received: from ([]) by ([]) with mapi id 15.01.0619.011; Fri, 23 Sep 2016 21:24:42 +0000
From: BITS Security <>
To: Watson Ladd <>
Thread-Topic: [TLS] Industry Concerns about TLS 1.3
Thread-Index: AdIU8WqWM9WBapZoQzyfqxiOaK25faCHlnLw
Date: Fri, 23 Sep 2016 21:24:42 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 90f03fda-5aa6-48d6-c3eb-08d3e3f80861
x-microsoft-exchange-diagnostics: 1; DM5PR11MB1420; 6:rQ6zX1qCmjpqhEIr2qPmVH3Xl7R3IRvqAjX4/yfCG/ujZF3gQHalES2c/y2DyeWI6mXEmpCP/Px6dHbvFRd80pTzXJrYPhaPAUnZ6sF9GV8tRg8W/74Bke9mILoX56Djhd0lmvfScdQl6oFgNrh6DWRzodjgafiZswlWJGDigIpgftbWq6EMomVrgmutUJcH4XUZYByXRBwfLJUaJAEDkLi0HcjjBHHxbc7VWoiQR+rGQakk7fptTlOgQ4UdyeldvS2Z4GkfWbzasX3djC1YFZEFy6TWGqH1PDb/JvHrjhINul7TiEPgVYuZXetKUV3x; 5:YDGHpTnmqin/ntTt7y7jHJ3N4k8S4otBXTdf9RsGasF779XrSARKUu+3/UuXg9NuLC2lpgpu6HrB3xNOfGVZPb9FHjAC1qDVEyYmIfMqnRSr4mWXfA+W833A52YJ3FLltDAbb+C3PnKeqUvJ6Yxh9Q==; 24:hmtODEsgVuGJromyTsrJQZQ9ApeQSbHplj+okpmkOHsByW16ncRxD3gZqUSsWy+MRON5lxNj9ZYbAniH0fDaGXcXmxFPVBSLjtAJFLrohVA=; 7:9aKZ264EQHg88ipvhAKutDtuySL+a6TpV1T6+m89bNRgSkHe35W/h49ZdyNFxZoaMMolLEPxb4535UcRlqK2RmPjvByNXXeaZ+NokNzuJFrSswk7JkANGApg8XPygBub08P6/KaPlmNDeMlxl5Up+OynGyJ71qVHGoktyXniblLYOi38qgjH8U3Oxuu9J0h7/Bb++bQKBT4GwGmomNREP2dUoJyDYiZqUFxnIOSeU4vj23AgViwWgLxx2+7iNJmIXyFRmq/ozlMWwiqq1rEZNTeaIboMpLmllYA5aAMprVaaJHx0cSmZ4uePcFMIctD5
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM5PR11MB1420;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(278428928389397)(72170088055959)(192374486261705)(788757137089)(266576461109395)(231250463719595)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6042046)(6043046); SRVR:DM5PR11MB1420; BCL:0; PCL:0; RULEID:; SRVR:DM5PR11MB1420;
x-forefront-prvs: 0074BBE012
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(377454003)(13464003)(24454002)(199003)(74316002)(3660700001)(105586002)(19580395003)(102836003)(586003)(19580405001)(3846002)(92566002)(99286002)(106356001)(4326007)(3280700002)(305945005)(97736004)(5660300001)(9686002)(8936002)(6916009)(68736007)(33656002)(80792005)(551934003)(189998001)(110136003)(81156014)(8676002)(15975445007)(87936001)(7736002)(76176999)(7696004)(122556002)(66066001)(11100500001)(7846002)(6116002)(81166006)(2906002)(555904002)(86362001)(10400500002)(76576001)(101416001)(54356999)(5002640100001)(50986999)(77096005)(2900100001)(2950100002)(1411001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1420;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2016 21:24:42.0200 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 841de5a0-73e8-4cbc-8142-f80b225ef22d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1420
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 23 Sep 2016 21:24:46 -0000

> Let's get specific about how this works: if an employee of a regulated
> institution is logging into a TLS protected social media website, how
> do you decrypt the connection without using a MITM device on the
> network? I'm sure with large enough checks collaboration application
> providers will be happy to implement whatever you need in the way of
> logging at the server. 

The issue here is not just collaboration applications; it’s also point-to-point messaging protocols.   
Some vendors have created p2p messaging services to meet supervision requirements, and these have an explicit man-in-the-middle.   
But general-purpose messaging services (and other collaboration services) which don’t have an explicit man-in-the-middle (and don’t permit server-side access to user plaintext and can’t be observed by other means) can’t be used in supervised environments. This rules out many cloud-hosted services today. 
In the future, even enterprise-hosted versions of messaging services probably won’t be usable in supervised environments if there’s no way for the enterprise to access traffic except on the destination endpoint.   

> And firing isn't enough of a threat to get people to behave when it
> comes to circumventing monitoring? 

The issue isn’t getting people to behave, or punishing them when they don’t; it’s demonstrating that the business has met its legal obligation to create a record of communications that can be accessed in case of an investigation.  An employee who circumvents controls can be fired, but that does not absolve the business of liability for failing to create a legally required record of the content of that employee’s communications.

- Andrew

-----Original Message-----
From: Watson Ladd [] 
Sent: Thursday, September 22, 2016 3:06 PM
To: BITS Security <>
Subject: Re: [TLS] Industry Concerns about TLS 1.3

On Thu, Sep 22, 2016 at 10:19 AM, BITS Security <> wrote:
> To:  IETF TLS 1.3 Working Group Members
> My name is Andrew Kennedy and I work at BITS, the technology policy division of the Financial Services Roundtable (  My organization represents approximately 100 of the top 150 US-based financial services companies including banks, insurance, consumer finance, and asset management firms.
> I manage the Technology Cybersecurity Program, a CISO-driven forum to investigate emerging technologies; integrate capabilities into member operations; and advocate member, sector, cross-sector, and private-public collaboration.
> While I am aware and on the whole supportive of the significant contributions to internet security this important working group has made in the last few years I recently learned of a proposed change that would affect many of my organization's member institutions:  the deprecation of RSA key exchange.

You've "recently learned" about a change that was proposed several
*years* ago, starting in the earliest drafts of TLS 1.3. This change is being made due to substantial security issues with encryption based key exchanges: while we could redesign the exchange to repair these issues, the risk of key compromise resulting in decryption of old data is real.

> Deprecation of the RSA key exchange in TLS 1.3 will cause significant problems for financial institutions, almost all of whom are running TLS internally and have significant, security-critical investments in out-of-band TLS decryption.
> Like many enterprises, financial institutions depend upon the ability to decrypt TLS traffic to implement data loss protection, intrusion detection and prevention, malware detection, packet capture and analysis, and DDoS mitigation.  Unlike some other businesses, financial institutions also rely upon TLS traffic decryption to implement fraud monitoring and surveillance of supervised employees.  The products which support these capabilities will need to be replaced or substantially redesigned at significant cost and loss of scalability to continue to support the functionality financial institutions and their regulators require.
> The impact on supervision will be particularly severe.  Financial institutions are required by law to store communications of certain employees (including broker/dealers) in a form that ensures that they can be retrieved and read in case an investigation into improper behavior is initiated.  The regulations which require retention of supervised employee communications initially focused on physical and electronic mail, but now extend to many other forms of communication including instant message, social media, and collaboration applications.  All of these communications channels are protected using TLS.

Let's get specific about how this works: if an employee of a regulated institution is logging into a TLS protected social media website, how do you decrypt the connection without using a MITM device on the network? I'm sure with large enough checks collaboration application providers will be happy to implement whatever you need in the way of logging at the server.

> The impact on network diagnostics and troubleshooting will also be serious.  TLS decryption of network packet traces is required when troubleshooting difficult problems in order to follow a transaction through multiple layers of infrastructure and isolate the fault domain.   The pervasive visibility offered by out-of-band TLS decryption can't be replaced by MITM infrastructure or by endpoint diagnostics.  The result of losing this TLS visibility will be unacceptable outage times as support groups resort to guesswork on difficult problems.

This can be solved by logging the entire connection contents at the endpoint. I don't understand how you say that this is not a
replacement: it's literally the same data as you obtain decrypting the session. This is a requirement that many of the companies involved in the TLS 1.3 process have also, and they haven't complained about it.
Maybe I don't understand what architecture you have which makes this impossible. If you have too much volume, then I don't see how your network appliance doesn't have the same problem. If it's intermittent, and you didn't log verbosely on errors, set up the endpoint to log the next fault, and wait.

> Although TLS 1.3 has been designed to meet the evolving security needs of the Internet, it is vital to recognize that TLS is also being run extensively inside the firewall by private enterprises, particularly those that are heavily regulated.  Furthermore, as more applications move off of the desktop and into web browsers and mobile applications, dependence on TLS is increasing.
> Eventually, either security vulnerabilities in TLS 1.2, deprecation of TLS 1.2 by major browser vendors, or changes to regulatory standards will force these enterprises - including financial institutions - to upgrade to TLS 1.3.  It is vital to financial institutions and to their customers and regulators that these institutions be able to maintain both security and regulatory compliance during and after the transition from TLS 1.2 to TLS 1.3.

Browsers haven't even succeeded in killing SSL 3.0 yet. I think you have much more time then you think to stay on TLS 1.2.

> At the current time viable TLS 1.3-compliant solutions to problems like DLP, NIDS/NIPS, PCAP, DDoS mitigation, malware detection, and monitoring of regulated employee communications appear to be immature or nonexistent.  There are serious cost, scalability, and security concerns with all of the currently proposed alternatives to the existing out-of-band TLS decryption architecture:
> -  End point monitoring: This technique does not replace the pervasive network visibility that private enterprises will lose without the RSA key exchange.  Ensuring that every endpoint has a monitoring agent installed and functioning at all times is vastly more complex than ensuring that a network traffic inspection appliance is present and functioning.  In the case of monitoring of supervised employee communications, moving the monitoring function to the endpoint raises new security concerns focusing on deliberate circumvention - because in the supervision use case the threat vector is the possessor of the endpoint.

And firing isn't enough of a threat to get people to behave when it comes to circumventing monitoring?

> -  Exporting of ephemeral keys:  This solution has scalability and security problems on large, busy servers where it is not possible to know ahead of time which session is going to be the important one.
> -  Man-in-the-middle:  This solution adds significant latency, key management complexity, and production risk at each of the needed monitoring layers.
> Until the critical concerns surrounding enterprise security, employee supervision, and network troubleshooting are addressed as effectively as internet MITM and surveillance threats have been, we, on behalf of our members, are asking the TLS 1.3 Working Group to delay Last Call until a workable and scalable solution is identified and vetted, and ultimately adopted into the standard by the TLS 1.3 Working Group.

Critical to whom? Not me. If you want to propose a solution that works please do so. But don't pretend your problems are our problems.

Watson Ladd

> Sincerely,
> Andrew Kennedy
> Senior Program Manager, BITS
> _______________________________________________
> TLS mailing list

"Man is born free, but everywhere he is in chains".