Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)

Roland Zink <roland@zinks.de> Wed, 04 April 2018 14:46 UTC

Return-Path: <roland@zinks.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F265112D94F for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 07:46:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zinks.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0dZiv0sWhcR for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 07:46:40 -0700 (PDT)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1E22124D37 for <tls@ietf.org>; Wed, 4 Apr 2018 07:46:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1522853196; s=strato-dkim-0002; d=zinks.de; h=Content-Type:In-Reply-To:Date:Message-ID:From:References:To:Subject: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=joOJkRWlzOzKqmjVY4A4oTuYmOr/1JzTSxDdveW+Y9c=; b=FkTp1AhhnaoHZR5W1iwFt7GBvslWhSE48fxqTboT4EC6X8gHevyQDCpvv516jnAIqP i4fLHsob2Y9dn1A61YpVemPrXcn6Y0DvjH0d/BL1fvR14/q9E2lbuzB5jRrCwa13nbFQ C+U2hWFMzmfJG8ft4UpW/FKvCkg6TqrrdFZr+fy+4RJdd74YYEt8S/8mhUpLLAnc+1tZ ZOqgWNgiA5aD0IQQ2v6AM09qYUWLPlYP36pKowXZ8xsOPH7kYaZ4mcPl0AqUwOdNVwjQ 6mi08gHuVbwLfBNVD4TSWy2xrfHUyZ6fMJzASmtUOYb48tRIhW3GBcK9aAU8Mi69NcgI sAeA==
X-RZG-AUTH: :PmMIdE6sW+WWP9q/oR3Lt+I+9LAZzXrcq8knhvfmBiJzkmKn1YaZ2OgvlDQIHae3Fs8=
X-RZG-CLASS-ID: mo00
Received: from [10.33.22.7] (p54A6DFE8.dip0.t-ipconnect.de [84.166.223.232]) by smtp.strato.de (RZmta 43.1 DYNA|AUTH) with ESMTPSA id k07273u34EkaHle (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for <tls@ietf.org>; Wed, 4 Apr 2018 16:46:36 +0200 (CEST)
To: tls@ietf.org
References: <1521920255951.94271@s21sec.com> <20180328231713.6B3D9409B@ld9781.wdf.sap.corp> <DB7PR04MB42529981694A3FDCD0ADD96E8BA10@DB7PR04MB4252.eurprd04.prod.outlook.com> <1727401.ncI4dqslgy@pintsize.usersys.redhat.com>
From: Roland Zink <roland@zinks.de>
Message-ID: <fa7e34cd-e052-6d05-cbab-4b30342958a9@zinks.de>
Date: Wed, 4 Apr 2018 16:46:36 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <1727401.ncI4dqslgy@pintsize.usersys.redhat.com>
Content-Type: multipart/alternative; boundary="------------9D717DE960A2E621CB64F131"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uh4-OarI5-Kcb2QwW6Py0rweqyI>
Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 14:46:44 -0000

Am 04.04.2018 um 14:43 schrieb Hubert Kario:
> On Friday, 30 March 2018 11:42:23 CEST Vakul Garg wrote:
>> Hi Martin
>>
>>> -----Original Message-----
>>> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Rex
>>> Sent: Thursday, March 29, 2018 4:47 AM
>>> To: Steve Fenter <steven.fenter58@gmail.com>;
>>> Cc: tls@ietf.org
>>> Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do
>>> it)>
>>> Steve Fenter <steven.fenter58@gmail.com>; wrote:
>>>> To clarify for anyone who has confusion on the enterprise TLS
>>>> visibility use case, I think enterprises need to be able to do
>>>> out-of-band decryption anywhere in the network that they own.
>>> This is argument is so lame.
>>>
>>> In Germany, monitoring communications between individuals or between
>>> individuals and legal entities, including communications over corporate
>>> networks, was made a serious crime in 2004 (TKG 2004) with a penalty of up
>>> to 5 years in prison for listening into such communication.
>>>
>>> The world didn't end.  Really, consider it proven that there is no need.
>> Could monitoring could be legally done if user provided his consent at the
>> time of login into enterprise managed terminal?
>> I guess that's the case in enterprise managed networks.
> No, even then the employer needs to establish a concrete case for inspection
> of the communications of an employee.
> Employer also must not continue inspection of an email as soon as it has
> noticed that it is part of a private message.
>
> https://www.lexology.com/library/detail.aspx?g=f946064a-05d0-4603-ace9-3846b1c7536d
>
> and this is true, to a large degree, for the whole of EU:
> https://www.theguardian.com/law/2017/sep/05/romanian-chat-messages-read-by-employer-had-privacy-breached-court-rules
>
>  From the ECHR ruling:
> "An employer[...] cannot reduce private social life in the workplace to zero.
> Respect for private life and for the privacy of correspondence continues to
> exist, even if these may be restricted in so far as necessary."

This is true, but at the same time the employer is required in many 
countries including Germany to archive many emails and other relevant 
messages. See for example https://en.wikipedia.org/wiki/Email_archiving 
or https://www.intradyn.com/email-retention-laws/. This is often in 
conflict with the above mentioned laws, for an example see 
https://www.theguardian.com/business/2016/jan/08/volkswagen-withhold-emissions-documents-investigations.


I don't think breaking TLS is the way to fulfill such requirements but I 
also think TLS connection to a company shouldn't end up at a third party 
providing hosting or CDN services.


Regards,
Roland



>
>>> There may be _desires_.  For me, those desires are no less unethical as
>>> data collections by apple, camebridge analytica, facebook, google,
>>> microsoft, whathaveyou...
>>>
>>> .... and fortunately, for corporations in germany, such data gathering is
>>> not just unethical, but truely criminal by law.
>>>
>>>
>>> -Martin
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
>>> w.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=02%7C01%7Cvakul.garg%40n
>>> xp.com%7C17aacd25ee5c49568aca08d595021677%7C686ea1d3bc2b4c6fa9
>>> 2cd99c5c301635%7C0%7C0%7C636578758559728633&sdata=sa3hcM4C94
>>> %2BX826Xcu4BwvfkIFzfJiB8cjPjOh7s8pI%3D&reserved=0
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls