IETF Logo Mail Archive

[TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)

Martin Thomson <martin.thomson@gmail.com> Fri, 14 July 2017 06:02 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95FF612EC02 for <tls@ietfa.amsl.com>; Thu, 13 Jul 2017 23:02:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q_f3W16BIWS3 for <tls@ietfa.amsl.com>; Thu, 13 Jul 2017 23:02:22 -0700 (PDT)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDD8212EB69 for <tls@ietf.org>; Thu, 13 Jul 2017 23:02:22 -0700 (PDT)
Received: by mail-it0-x230.google.com with SMTP id v202so12718247itb.0 for <tls@ietf.org>; Thu, 13 Jul 2017 23:02:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=Ac7/Aqszsm09jZ69KT7D04t52UiYHsYu5g2TjlcdO5E=; b=seXgLTwrReWJb0LYe6BPC9nv0zB892J6rwOERhnh5m1nROOH3tA1imU/rwyobTb6b1 CTVhT/9EG5AXO9sLJ8GC70C5MCq5IL0IUvp0xcHA66U7FzRsCwNFDhLXnuXDOWP7m25V 0zudl6N7ZcKWWQf2bhr0l2dQjEQNgdz+jyeKK1Ni07NtTeavR8f0IOZSoA3YmGlZUahq 74WzcFtiGNYh4YSTtMIrgSaITECPpQ6690utx9Dgms/WBY3iAC6esWLpSc5arJsxNt2M bsM8OeAc17cVW1siAs9XBYszfEIMW0ymZjdWwI6y3oY1LFAIoHPv2I2B4PVs5VSSLp+z fPMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=Ac7/Aqszsm09jZ69KT7D04t52UiYHsYu5g2TjlcdO5E=; b=AueoOBv8O39QQ5PRJEgf1rnPM1KDGY/NVomsRATBACxnp8z//sekU0G4AJJwCItiDN CgOCL1Vo4YmraA4EoHt3zTiCQdZ3kEFMlRZ2SkZxDuhdS634tsx2f8gImA/wNFPbIy/Z 888IFnki0jjMfIF3GFtYxLaDCmFh09b/yIAw/kS8eiZaUJTGqhTvSrpKbWiqOmM9TUbb FnOoNLJNf3izd0F5qQ3k22yXw8Z7eEaSz4tALFPuHuAHfasOD/2eHbtObNtL8ngNYxeU pw+jbdJPnopywsC/GCmJ4MmmXAUYleL28bKHOg9WfSAGtM1fuYv+xLrDWO8rBgURrO7L 6+ow==
X-Gm-Message-State: AIVw110ZjFmnLY9YMM4GqGIy0GXeY07WVc6VCiSIq2zevT8ZXP7ROxIr xLD3UIuGbAymi466sFN6azPkdjLWNQ==
X-Received: by 10.107.39.205 with SMTP id n196mr6634172ion.37.1500012141906; Thu, 13 Jul 2017 23:02:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.26 with HTTP; Thu, 13 Jul 2017 23:02:21 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 14 Jul 2017 16:02:21 +1000
Message-ID: <CABkgnnU8ho7OZpeF=BfEZWYkt1=3ULjny8hcwvp3nnaCBtbbhQ@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uT2A3ItN1PMe_9EwenVC1DibhHo>
Subject: [TLS] Malware (was Re: draft-green-tls-static-dh-in-tls13-01)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 06:02:25 -0000

On 14 July 2017 at 01:08, Kathleen Moriarty
<kathleen.moriarty.ietf@gmail.com> wrote:
> It sounds like for malware, we could do something to better document
> your security options as well as monitoring.  While the documentation
> is there for key pinning and trust anchors, this might not be obvious
> to network managers - what RFC to look at and how they fit together.

Just an aside, though I think Kathleen already made this point:  If I
were writing malware, I would use TLS.  It's pretty good at what it
does and it's hard to distinguish from legitimate uses (there are some
trick's suggested by McGrew's research on this point).

At the point that I have sufficient control over a host that I can run
my software, then I would pin certificates and the best you could do
is block me.  None of the advice about configuration of trust anchors
(pinning, overrides, etc...) helps at that point.

Most discussions regarding breaking TLS focus on the breaking of TLS
to *prevent* malware from infesting machines.  There at least the
defender has a reason to attack end-to-end security.  But then we're
talking about a very different deployment model than the gazillion
emails recently have contemplated.

v2.23.0 | Report a Bug | By Email