IETF Logo Mail Archive

Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)

"Roland Dobbins" <rdobbins@arbor.net> Mon, 17 July 2017 15:32 UTC

Return-Path: <rdobbins@arbor.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51D42131C55 for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 08:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thescout.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3cIJLWyX8tbC for <tls@ietfa.amsl.com>; Mon, 17 Jul 2017 08:32:46 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0098.outbound.protection.outlook.com [104.47.40.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CD7A131C67 for <tls@ietf.org>; Mon, 17 Jul 2017 08:32:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thescout.onmicrosoft.com; s=selector1-arbor-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+6U4gjRrksSEvVJv6NkQETU7MTZHeAwbj31LZPpG2Lg=; b=H2PUYUc6U3H6D60M1t7SzPp4kSC6t6dIMd8kTT8vWfUnHGWzYNMTakkug/Bub+WfrnqH1rmsKk3pD0xn3TjjaeqBO1F+B/K+U8+xfgVqIleRX3iRatBatc6Q0n+Mi0xZ0jYjy56xkMnx5bRHs3GEnmJCA4MkjV2lRqT3j6sVpFw=
Authentication-Results: cem.me; dkim=none (message not signed) header.d=none;cem.me; dmarc=none action=none header.from=arbor.net;
Received: from [172.16.1.3] (88.208.89.131) by DM2PR0101MB1039.prod.exchangelabs.com (2a01:111:e400:3c19::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Mon, 17 Jul 2017 15:32:42 +0000
From: Roland Dobbins <rdobbins@arbor.net>
To: Carl Mehner <c@cem.me>
Cc: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Date: Mon, 17 Jul 2017 17:32:13 +0200
Message-ID: <637C97B3-DA63-4F61-8EB5-D938136D520C@arbor.net>
In-Reply-To: <CAEa9xj7sVcGAR03f3pWsK7giFqmu7GRHN4gqh9Nb6uEAOM88Yw@mail.gmail.com>
References: <CABkgnnU8ho7OZpeF=BfEZWYkt1=3ULjny8hcwvp3nnaCBtbbhQ@mail.gmail.com> <2A9492F7-B5C5-49E5-A663-8255C968978D@arbor.net> <CABkgnnX7w0+iH=uV7LRKnsVokVWpCrF1ZpTNhSXsnZaStJw2cQ@mail.gmail.com> <FDDB46BC-876C-49FC-9DAE-05C61BB5EFC9@vigilsec.com> <9C81BE7B-7C21-4504-B60D-96BA95C3D2FD@arbor.net> <CAEa9xj55jzch-v0mysbRSryNM0Y7Bdtevmrc3+FVxMO8EP5zWA@mail.gmail.com> <CC3CE5F8-C8C2-4A70-829D-483E26D20733@arbor.net> <CAEa9xj5eR6b_+CsSDArMWWr-u8hx5B81kDVEMEX8sgfUeMUS8g@mail.gmail.com> <C3B01C35-E3A2-4A8B-9DD7-D6E4153ED39F@arbor.net> <CAEa9xj6p0y9ZzxLJvtv9GDzzfs5s13nnLqm=4_fNDPGV+=Od8Q@mail.gmail.com> <BE4E8E4A-51FC-4211-A16F-EBA8B3F01757@arbor.net> <CAEa9xj7sVcGAR03f3pWsK7giFqmu7GRHN4gqh9Nb6uEAOM88Yw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
X-Originating-IP: [88.208.89.131]
X-ClientProxiedBy: VI1P195CA0005.EURP195.PROD.OUTLOOK.COM (2603:10a6:800:d0::15) To DM2PR0101MB1039.prod.exchangelabs.com (2a01:111:e400:3c19::28)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2152d758-a9aa-411b-69d3-08d4cd291194
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM2PR0101MB1039;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1039; 3:4XKCBuhaf8NDZ4GczhETHY7rxurgzAFWC606ssEr22kgY781pOXiR2zCl+DfPJgNg+PHvbcHmXSSZOIh1oM0rS13wwjgpPUl50/bmZJwq2vJcNkBApPH7YrJQY+ieP/YdAuldJ5tAwEbS7jdEJVPIfkWeVkwukBQImCKdlRrQ7Qf+fg8+jiEj1lIYFzjQigaZimP9L6UHifznH87UJui9dc1Cj/wPwsAyLVBHKk6b2CYrJt6kn0hFRTDA68k+aUgPI6z1mb9hl3Uqld1jpxuxFkSQlvX65eSOfMG/3OGZ/IYNKsudUnpcMxsuRSsMfAmXq8PeewAS+Qu+b7M8HxdPxMeWXb5oMs+OqTitUzlelyGoIIOzcf/brqteagQ4hedPfZuVAoNve1PfDCp2MTwDRBT6bxZyO4KKcPe20GtNz17iKuPi342opptdkB+FlnEdHzvDzKnuXjGAsDyqFdhm1ffQglD9u5qxNWDbTdBNzG/YjcofgxH3vWmXGQwowCJYgfFRe6+KpsygR80gL3GW7e1/uG1jWqwVtRfzKwelwXmI1yF8JnDm29iRaNe8XK8/JSWefxqrf+5gLuFo+VyTc8acdTJPQkDoOke3ignNhlLzmskf+t3OoL2hxvWCsgoaB8UhlwEtuHHBOSfIUlclCC/1MmaLjsvbn7/J9iBSV2+mxYaJy/QZSQIwP/qzYhU0RHC8TUSp1oI4bmPaYo5uTy4lRiz0y995wI10wzlfK0=
X-MS-TrafficTypeDiagnostic: DM2PR0101MB1039:
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1039; 25:RvqHM740g6bF3hRruOG6K1wVZJSHT4+9hrwkYFFvokSEpYK6gvz2Ov9IWTnJkKF9zGsgyJKS4vSxl2x3l6eqR1/LkYNIvxzW5+AceC+8kKbC/Xt5rQPgeqxp5QK5DN/sL4OhM6k5wltdSFTMB4qRWEecppph41k+/TdnLV2C3sNhgLMrMJYAMQvOuGuJkr5mEX7KKU9NYucD9I4shoo9JC3LJ4Pev6nNSrzv4ols8BSkQle8pGZr2hbC0BxmzBdWVaRST0e8M0fX5GdCYLloKpDpT/FF/SbxS3RTpNWxD9KfhAt5pKTx261Jf0P6VqiXFZLLlyRZgz4rcyfSuDE3mMJZTkLFxX6qdyr99d3ayNNNOcIhiyV4E2Xlt4kwn2Hjx9Js0iIW3pd4FhvX0Kju5GNY01ViFNYYfxwCxEUhDPoLxUYAbUxe5qGAwC5Wk18+DxKJ69YmvZ5Rkt16hFhykJ5Ff/exx7eCAwzVG8XUO+qiQKsZpEB6xgmXXP2FKzwMvK26ZuKHLuwJEIbDlA/XtRiHNn1+AIbYbaj663AXQUrA5VXAWDh910pM5cM3MgyDZGTgVvYVy+Tue1Lm6ykCt0DvvcEbxDdpjksWlZalU6O60g9luNHV5Q30a7ylJky4YdoYcHpcg+7UCd1wDKyb+9FJ1hknbSHeYPcJQ7jh0g7koNQuey1M71ZpGAONXP9f0VftcQiOf9DNamKhXkvhXXGwHA58rLHQbHrMFFCRLWylYiruWknhrW4votSMsFf2Nqw8jssfLEbgVYD0OyOU5ihTsEQz28FtyPhJ55UHeTykqWmEjIp157lNBpE+N/AxZHBmyf714Y/ObfzmBkleQYeTNwd5V3kRpkiE/fVHX7xNeUTnKzmjRz1ItTwNfWidSOdpvbD/B6ugMVPyJUNdyYzuKrCYU8kgazKGO/DBCac=
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1039; 31:qFKBaKoMd9lmJa7SYNxGKcrgho+fWevao10gOvHAv2S4sBafamA4cmBJYWFai8RrMaeYsVzJ7vT6oNvNEO44FIbuemf7z1BuR8QzVI6Ld81s5fRChtQIo0uoHcEASJYmi+w49+P6uJ+0PR8bL1ETpXo6/a8RurOLGxLXABFU3ulVbsQWDB0Tvml4sG3hTRSIpER7mFPx9h2lSp7ZX/itViYGyZLQcSvz8UBKNahGjYMAFghlxcJGNONFXN/1MsDZLYppQFHosLX4ltWiz2Y85iopIstkodlWq6eIDdVnZibqMcHhPNxEdyON25pnG6T0ZgEQw8nK+i6BG1tcnqRqTK9tJigManZmDmAfp8+7cvTZwezjAfUR1SLxAlrWjmSVNob6sHSvw463uSqYMfNTXtBXrf1hFoHiUwFj8XAATd2YIcBRzCkBvqQB04O7b5t8LNC8CxsFJd8PrTD0Oad5T6CRvtvTWZSHswwnGLmS7gKYP5usGVuD6khyp7fdkMqIsT+miHyPnPtUOof9p7Ja3/6GdAF8HxMvSrVJllvwwxMy/YpHMGLfSZyIfATOtsz1DQtDSPLedDYH0OCzVk9CkIhqBnKZfpYeVb5bW7GVm16Jqu4oKv7hCGHzLFyHnD6eSI6EGNLR5wJGSG8eDOqMtB56ng9qrfmx/Ba71Fbo+5conQCa9hqtTiyeBEDq0xPWDJ6+MrRqL085Y6szPb1Sug==
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1039; 20:FuAiSRMYiRtyM1P9ywfMqXvTDpE2tF+k5a6zcO6f4g37AbsdrPRbfEnYlj5VFpm1r5tsZogsRElFfWbeAEyC3n35JiXVgFiHOGRHSm+8pJORQmmEeMTyxZwUPUJgg0zijIFBrrP28lNUCpPtVVKgTjxjCG5ZizmdB/jtd34MVR1aWA2znGQhR919Q9SYaL6vertb1EKXKZRq9xg9vSEA5wKk07g/1FrGTeQArTz2kMmmkrSvasgCMI5KDC/Svq7CvLlO1X2q156emt8vboeWYkOtWWjWmS2OhLrjzQmD68a0llvhsEF+IvLPbnrZxPA+qTvruYAmDXIXsPFeuetzKUiV8KwIMG/ugl/fu9slHRy6fhrj0edFpNL5AD1PpwfIajYz1mMF+vfHiw20oZ7+WpGTuwthOOFHCK7txqGXfP6bsKhMSrEH34yjepOqSCJPtIh7sIo/C8qpfFWB4hlywv3ovo2yN0CiZ/qZ8KWV2XWuQaO0662P+tvzmLnHMiGC
X-Exchange-Antispam-Report-Test: UriScan:(246478575198768)(72170088055959)(236129657087228)(192374486261705)(48057245064654)(17755550239193);
X-Microsoft-Antispam-PRVS: <DM2PR0101MB103969489E67767355F61281CAA00@DM2PR0101MB1039.prod.exchangelabs.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(2017060910075)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(6041248)(20161123558100)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR0101MB1039; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR0101MB1039;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1039; 4:mxCLiCE3bOe9/DkJOVTTH+tA5+k5G465qYuxyMy1x8h06WncjKaypxWZtjjsuxmFok5ufRar5HryXmajbQ/X9tkMwehN0MUjQLO+1h6Iar9BidpYSwmyC9tycorZl2jYx3F2LWLGHD9RiMrmEM7zVjuDnsBlQF4m+1wNF30l80M/RLke6UiD6m8P2PVFMBTMWg9X6pRLX0SihOTHU3ZUj66hud0YzIZ40gMokEcGh3H2CRRxAhF6ILlgGkas2sgZ4XB7PSS3EN4xDQvdf1zInFPl/pZ0WsEbOqgOM44Zpe9dRjmqErPzie9Fmkewy3AQ3UFBUOtdYPdIfxg9nQAL/yg0fpfIbJezLvzFnA/thqhmBRgrqDjjYfGvQg8p0dFeU56nUz/FWYzX++iWod6+OelVuLyW+e6AqB5SFScPBJRnRnd7Dcn58+CQ70uPHk0+iI9NY4L1nFxMHVWQ+QNwgTpA501ytOwBlEd6ZL+EOakY7/N7feVIdzdNis0kWerRaZMpjT7hlNfQtJqchbmv/vxOnqpZ9xPwPib0hYpLOFsg/7vSSqsef/BvixGVQ2LaRWzMLten6tIvnXRlwcRNwkqQWmEaj0F6Js5vG+FGCwDgqPAjn6xDnv/Kri9e51Xl2UckkCASTj70cBdY1dVPkybnVdk9jSw5+t9kzn6N/UHu3nOOJrOUUp6mDjBm36UmzMCi4FVdr1+bQwexm5j7u/UGM3wz1edtmybB3T4tSg66z9CDkK1yrHSZKtHszUaR7iMMtdrioijTKomeolrdIyOA2GjLCQBuUxUqPzvlmc/KE4FnC6ofkpp2S7pfSCEVvXiKZ4rT7VMBhzWuWTtnOLJ13+Wml1pwtEz2xUCxF6m5oseM12BPtF0bLUOOsAkbWaJtqrXcErg8oweqai6sfzrYsfwGPP0cBJwrZ/c4C/nihskAgWLl6AD4fI6mK1O1yUknTjinG5eL6UMoFT11dMeglxqsuuKTvRBp86W2WfeshI+WDwR3mOthK3g1AgLljRyzqQ6WoXrw2XgaAcogmRe95ULaHudA84nHBrCPPRqNtIU8qhByudNsacbeyJI/K2NdLN5jnc8+uB0IbLgx3HxRndyRoy64uTpb7rPI2yGOPPCUWOag3qlPsyQDKWLeYuxxEgM5bdFVScJ/1wCDKSj6iUAF7sa0aGAYzY7IysuuscVYD+F7od1NPEjX2wuIVDBcxV00dXuU9ALp1EEA/mJeCbCN5+gYqYdg6O//6H5h5PpivNv4vVX2EXZukVvkp4tmhtk2VFwCk1SFTevszkWkgB29LE0fNU94cYWNytDCOYxxUvcDEkwf9FL51ogMzfBKG6nI83bGGMJXoX8ImceD6wP9R+74zULiwA1Ltw8=
X-Forefront-PRVS: 0371762FE7
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(7370300001)(4630300001)(6049001)(6009001)(39400400002)(39410400002)(39450400003)(39840400002)(24454002)(7350300001)(86362001)(6246003)(25786009)(81166006)(6916009)(2950100002)(36756003)(38730400002)(110136004)(230783001)(5660300001)(3846002)(93886004)(6116002)(83716003)(42186005)(5003940100001)(82746002)(50466002)(33656002)(305945005)(53546010)(189998001)(8676002)(7736002)(478600001)(4326008)(50226002)(53936002)(66066001)(54906002)(6486002)(77096006)(6666003)(229853002)(2906002)(47776003)(50986999)(76176999); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0101MB1039; H:[172.16.1.3]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1039; 23:N/qn1aC0fzHQfi0YKjWe1/bkVZNBsCVkFUSdoPILCDnvOhMspoJrouf5Hd8hvql82eitykLvvI1BTTeegzrjtlPb2TpZIQuMpLIegB6n+PEyAlGlRwJffoELIITHUWel1OhwTAq6NZw6gE8FEpwD3MHejdZ679/ECUNOoqgV+wWGqAeMCsq2UJX2KT7prMLGCKCOsSd1gCiaxoGgVKq2dLNyKVvahtHCzgy4Dc12Ie5nkH3bugEYNxcAujvHdz2DqRgZlwsVx/f/8RmxqbmKrJbQtRTX6w1Hdax4uwH2znc78PQNmzDD4PePQGMEhQUgxSgdgLfZF0mHsOW39S2+4DMo9ksZ7/kC0lYu5fmBzjnPDhsGY7IWRGgmGTEZRSZNIBkEREej3FW9eWxGDE6JB97pY9WA/OMP3x0sSXP5UWndPr2SZAFniX+ZFICIRZi4OVX/DpuSP5+2J39eSnOd9HQ/ZPlNwjRmAYiDKfOu27u9HljZkh78gDMtddfBtLHQFl540q4koCHDyGtWI88sPf72JCX8lmW6Vc8XLXAkVqYRhsLk+TpbzvS6Ad+H/D4RMCT4rd7OdE8OFwdwXAlXltQ0x1pSHT0t4n67uMefCJRXa2CwHI6/86LpbvSuCDp33YP4CMtS0b5i8QjbCKjkSMq0XxsbvRejIsqRESlc67HJXovNnK13E3M4pbLye/U2c5WUeQMO+ZgdUCU1YpH0of5rOpD3IV+xU8JOE1pWsQiBovTyBUmmWLpTYMjL0JBOM9siv1/A0uAxOVcvcaBA51jdVuQI8dwCaV9LIE4OWCS+c5VxpU/vxgNScR2VkT+r6Q5x/moBFiSzmabZB/kVpR9eqU5IX2SexMbdwimux2qU/9JHr1j9sQWaXlh6EBW1P4F7ryONepwZ412ltr7DEnUF+XPbRo366mE9PQCo1PA0DmMKh0PuuaWOlJlbUL0ErOYjgWg2ovOf9FG1s3h+q02wT4CXwQjOK1E6aJa5W6Is6DjdIA2AHPGF1yUzUBQL1+ulsNSDMEuSocp7Fl5jzHqzc4T1MrlTCVtF6JJkrwDwfuRTBe9m2hcdTM4t+DDS+6XV6Oa+gVypqwIiE1fYj7qhlmx76qKsY4m/k3WyXEFFS9xIjqsHWcGwhmc+Xd6QFAXRSM6bzfj9QT5Qm2TMcHPV0q1SkF2QiHIDPoC2L/ZHYwIWcic5PF7m2n9JZpSQfzttFn8XbpL0KhQ4r7NaeA==
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1039; 6:oJQcqRMWT2pogtodIa0fEPwmTS67IDripyLeVG6ZbKIlcVayTkH1ouyysqqvwBIUEDz6T3iTdmhb1mPef9YWj4DjCswKeeQPwNUZpbizOfn0lBSLLYdn+FZfzFOn/bkRE29Cre8Gb00NVnOYIjnaXsUXRETbFrEiNzVWL5VuF5AThFMms+XkQwnAfcUdfXCLnH+JI52vfI48wnynrBEKnePcc4DAbNaIkW+dYjCI/f6MGhj/rtEcK87dS/EYPHzSZG1U9AJ0vTUdhf9fdLjh2CwBN68xza3dAbNmauwNpnomotPQ7y0ZwBKwh51UNm1+rWbzG6D5ItZtvPROpYcTttJoxWHDGrbUw7G3ikABFdfaOUvgJtq9ze+yFpmKuG1IuCrst7fll2qrIoyzW2PiJ2V+Rmjax+BGuzz7F9ty1Lpbk0gCQF2FVi/HFSS24TpLtHPzf1ciZhhJv7IK07Oua52TFodnqW5bgUciwS2/kSiPQklGVB0stTvvlLdUGyUc/0GWPnpZF33cGJfVR51UrH1FscZrhn7u+fC4e8rxMSVLoIsacgmQSXJjxWQ6CJdm0neUHF/I2vyA816T2YwjR3+SjIqGN/Mykl+NFRgefv5tqcjwMcqncHx+pfdU3nX9Cep14wyBxxk4rRLfYrc3xhp+MESJmNRd8vU27SMCvlS0poZkkeqYlT5sbRXwZvH2rgX5kMkhbPH3raRz0M7qJv5jFv6gMqHuBc1C6x5CENfcT5G8Yb/d0kdn4FAcXXnhU+06X0kq95VW7CIIcS1hmOFDSIKuIkaZwnOlEmC174qgj0Hh5NHz9nRZEVcFkxPnulglz+qh4YSQVQ9jipY+zFJ5L5bgXOB2vFlmZNvR1BkrPl4CTQrCGt+wqB3ZNQ4OSrcHDeyG1R+22yoUELtgd0jzUMeK+PslWHHCzEMKhXjH7Dr1HYODS1spswR6wVq1cc2mPPcZTXHdQN3zt2WXIidT7iEFxvpEOAOjQFL3/0Q=
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1039; 5:hO22rqnJpQW/HcjWYQslOGQyz7U9OVxA2hldzcjHRuJHyZcqBuctFiHKyxTfM/6RtgwB2ioBSS0NTTjYdbxG0ISaeIs3GGuNyeWH+7I4jfaENQYFSWawacAZkakgCoT1do+Bx2y3VMI6jC5HaPrPrjd8cyT6dY2Osmj/axy0eHJEr02ETo+vATz9oiZZXeysOc2eAPaxzTiXYMH4ZPfDTr3vLpnJwZXp/4BFkeYIXRta+VuucIjE2bUB+oxDN33YoTqRBEszBqkH7kHb5lABx3Sv++/jAVtlW00pgtv3Jyl2R4BciTCX9EpwlWX4AEJDOG8xGePQAI3I/IDC10UZfLNsM5Jfgw2V4BWImO9g2eUdxVpLDo5Ny1FbricKq7sLm4HF3ZAxYYW67/CKsP4AdEPahSYQZlYeRvggZmzKBL+pAMYWmRV1H0Z6UysnNX7ygiWZP/zglMFfz6mSn0+/A+HzMN++kSTdhYFZ1y2FGMejVjRn/yMBHfJBKPb/ZRMe; 24:NpvYsp6QU8uPjTTQHSf72ZxW6hMZYS3ai1CcotPeIVljCYsWuJfTh07C6O2Tfy31+WoAerQ5bC/3Ug7x7JQoS+p3j1w6OXPsA2/IF6p9xy0=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; DM2PR0101MB1039; 7:Qp3HpPICAIJTTMYHUBDxVJwUwJO/R5hlX3IGkcHrw2dcR2/dtsIsegfpI//Aw2TxXTj4eoiubZbEYwl3idopTJcLgrZcqrvlkw4fQxrt/Ksq+Qv6FVT/SL/KqGLa5ry1yI79eHkgdEzkLky5TKTfHTs+FTzxIUNcV0zof+KLUTjBaYTC7yL3LvyLCZxs9JDL313lQGtzLGlJa1c9olCMZO+fS6VPSZ86syeVHQBFakNlVM+LC0pO6P9zujFxgmnaWYR+0JL4owWE7ARpjxewIjMptls/Sg7ZDhu1ELrgH5CtYflzl7ZI3RDIX1Gz2waOPmP976D3arDBRn72dbvy+V8ME3bjeCtSuwy6WVCW/kp0MDDhqZaDKQH9Ur2Vry3jPvM/nEPtXfn8Cw4Rq/fBoIrI5Dml8SStS/ZsunGXWoJOCPtOuhpBBrAYjhyB0Fk+shOGvAthL9XDdn5bZfvuCXbbasacFqesXUY81/Dezp+SH3ojt384YXS8sjiKumClikODm3+IhACogIUvoH5326PEoAOyfE5ZIpHqpzV27MbxQumWyPf6CXCQ/WTXJ/nDdqb3VHiXM0v/CCe0yCdZC5gL2ktzQMvqq/n5crSYPsbB4vJqnmEsiRx9yRMBghqWaug0xCtrm/2BWXer4jcFiPDAGUkuNtJ41VmhBU7EarAfyIpP7p0a4PEWO2uNrEjvsFjD92KG+ovnujqTcFJ3xE3xcoGK1YMoQJaY1t1TCGT3G4+pueN4v9KCmWbrKxZORopKcBebwQpQJJ0EmHBNOBu6SbdNAhv5fBEVPOMOZT4=
X-OriginatorOrg: arbor.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jul 2017 15:32:42.7437 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0101MB1039
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/t5MRv2pzac00q4_940MCLk9yCEY>
Subject: Re: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 15:32:48 -0000

On 17 Jul 2017, at 16:52, Carl Mehner wrote:

>  Do you have an example of where malware would be on your intranet 
> where using this
> draft would help you?

Sure - detecting attempted additional compromise and lateral movement 
utilizing exploits within TLS-encrypted traffic.

Another is detecting (and subsequent blocking of) the download of 
malware by intranet users.

Detecting data exfiltration is also a common use of this technique in 
intranet environments.

> Thirdly, just because something is prevalent and important
> and has been used for many years, doesn't mean that it should
> continue.

Sure - but it's also important to understand the mechanisms and 
techniques which are important to network operators, and to provide 
non-burdensome, non-iatrogenic ways for them to continue fulfilling 
critical functions within their own intranet environments.

>
> Non-FS was ok, because it's "intranet", now, it is not tools and 
> designs will have to
> change.

I understand what you're saying; but, conversely, isn't it in the 
interests of all of us working within this WG to help define practicable 
solutions that network operators can use on their own intranets to 
troubleshoot and ensure the security of those networks without requiring 
iatrogenic measures?

> (And since we are throwing around PCI hypotheticals.. maybe
>  PCI will mandate forward secrecy without static keys because it's 
> more
>  secure.. we just don't know.)

Agree with you 100%.  That being said, the PCI/DSS board are quite 
well-versed in the monitoring techniques utilized by relevant 
organizations, so (hopefully!) they'll take this into account, when the 
time comes.

But you're absolutely right - we just don't know.

> The bar, as Steven pointed out earlier, is for you to prove. You
> should be proving that it is necessary, not just that it is prevalent
> or easier.

The problem is that in many cases, the changes required to accommodate 
pervasive PFS within the intranet have the potential to be both 
impractical as well as iatrogenic in nature.  I completely agree with 
you that PFS is very important whenever sending/receiving traffic across 
multiple spans of administrative control, like the public Internet.

> I'm trying to get you to explain how this draft helps with that.

It helps because if the intranet network operator has visibility within 
the TLS tunnel on his own intranet, he has the opportunity to infer the 
existence of unknown and unexpected traffic types, including possible 
superencryption.

Just being able to something that looks out of place and warrants 
further investigation, without being able to instantly classify it, is 
very valuable, in a security context.

Does that make more sense?

> I recently analyzed some malware that was sending encrypted traffic
> back and forth nested inside TLS. But we didn't need to open up the
> TLS stream to know that it was malware.

Understood - you were able to user some other mechanism, like traffic 
analysis or an endpoint mechanism, to determine the the presence of this 
particular malware, yes?

Unfortunately, this isn't always going to be the case, in many 
circumstances and contexts.

> it wouldn't have even helped determine that the crypto was doubled.

Was the malware in question using countersurveillance/obfuscation 
techniques that made it more difficult to infer the presence of the 
additional layer of encryption?

-----------------------------------
Roland Dobbins <rdobbins@arbor.net>

v2.23.0 | Report a Bug | By Email