Re: [TLS] Breaking into TLS to protect customers

"Ackermann, Michael" <MAckermann@bcbsm.com> Thu, 15 March 2018 21:50 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 697E5126CC4 for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 14:50:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.089
X-Spam-Level:
X-Spam-Status: No, score=-4.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HkJqUPQSrC47 for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 14:50:32 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22141241FC for <tls@ietf.org>; Thu, 15 Mar 2018 14:50:32 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id EA99A1C0990 for <tls@ietf.org>; Thu, 15 Mar 2018 16:50:31 -0500 (CDT)
Received: from imsva1.bcbsm.com (inetmta03.bcbsm.com [12.107.172.80]) by mx.z120.zixworks.com (Proprietary) with SMTP id EBC7F1C0616; Thu, 15 Mar 2018 16:50:30 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A4D4892053; Thu, 15 Mar 2018 17:50:30 -0400 (EDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6BB7A9206E; Thu, 15 Mar 2018 17:50:30 -0400 (EDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (unknown [216.32.180.15]) by imsva1.bcbsm.com (Postfix) with ESMTPS; Thu, 15 Mar 2018 17:50:30 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector1-bcbsm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rA4WG6AH/TG+dSP9OMmVIf4ftwJYLGCaHRYOg44qNK0=; b=SE0c6BCoa1H9pE0poclyWKCpZJ+lT8CjCrOwFQ3Mjw1RPprYcjFCq8W/ucF7Mi7Ab11JaI6pRNr3eb/0rzWFhrMoUu+K3w5Ef67labvZnmavLMieX+qreHZ/1GdBjExRsbSFajht0b931gHu7QTtb0UnRFD/5ZOdgi2WgHrni2Q=
Received: from BN7PR14MB2369.namprd14.prod.outlook.com (20.176.22.144) by BN7PR14MB2193.namprd14.prod.outlook.com (20.176.22.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Thu, 15 Mar 2018 21:50:28 +0000
Received: from BN7PR14MB2369.namprd14.prod.outlook.com ([fe80::b16b:85b4:3e2:e0a2]) by BN7PR14MB2369.namprd14.prod.outlook.com ([fe80::b16b:85b4:3e2:e0a2%13]) with mapi id 15.20.0548.021; Thu, 15 Mar 2018 21:50:28 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Rich Salz <rsalz@akamai.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Breaking into TLS to protect customers
Thread-Index: AQHTvA3iixHTI7nuzEOVKDOY2Cg356PQvDUAgAEanAA=
Date: Thu, 15 Mar 2018 21:50:28 +0000
Message-ID: <BN7PR14MB23698A785363CC424A981A15D7D00@BN7PR14MB2369.namprd14.prod.outlook.com>
References: <C43EDAAC-1CA1-4289-8659-B2E05985F79C@akamai.com> <E22E3F4C-2A44-4F17-9FEA-18760C36A1E8@gmail.com>
In-Reply-To: <E22E3F4C-2A44-4F17-9FEA-18760C36A1E8@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=MAckermann@bcbsm.com;
x-originating-ip: [165.225.39.59]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN7PR14MB2193; 7:lyZW0IMV/Xw7UjnpefZCjH3sAim39QZX+mrwGjPw9nVWVPiDskAtb3UXs2UCc7lvihagnTTxGKHnROH763d0xLSdyfbgFLeI8fLsqjt+E0MmmgI3tDOJz9Dwea6egDh1QTXwCO182n0zD6YL7/waJxaUtl/JTMM52P8VKKkc9tP16XEcdmfroiJXdeLRk/j9E2iq0K+RzQur4vzI4Re4tmILVrChNx5+k3vPTg8S+6c4GGLCS+6LkHWaFiZIrBlz; 20:1y4uGxPtqHBVWMyCYrBKzfFQzM2qWb1QQwM5krOckdg+6tbELCuWjvPwubnT7QNGGFGFkkY0QVCT0vdhtFjE5qPE+afcsWuW1d+tE+ZB7R6vEb2frKPB/5lIF4jZlhlXs8uk3tJzdH0TyB9fsYo0e6MOQr0U2WDHnaES4aLquig=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 634c9f08-9adb-404e-a990-08d58abec42c
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(7168020)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN7PR14MB2193;
x-ms-traffictypediagnostic: BN7PR14MB2193:
x-microsoft-antispam-prvs: <BN7PR14MB21939BB2F945DBD0AC5005DBD7D00@BN7PR14MB2193.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(72170088055959)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231221)(944501244)(52105095)(93006095)(93001095)(3002001)(10201501046)(6041310)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011); SRVR:BN7PR14MB2193; BCL:0; PCL:0; RULEID:; SRVR:BN7PR14MB2193;
x-forefront-prvs: 0612E553B4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(346002)(376002)(39860400002)(366004)(396003)(199004)(189003)(53936002)(606006)(790700001)(3280700002)(8936002)(55016002)(8676002)(26005)(236005)(5250100002)(86362001)(6306002)(106356001)(19609705001)(81156014)(6116002)(316002)(54896002)(6246003)(4326008)(81166006)(55236004)(25786009)(186003)(97736004)(2900100001)(9686003)(39060400002)(59450400001)(7736002)(110136005)(966005)(102836004)(105586002)(74316002)(80792005)(99286004)(3846002)(72206003)(53546011)(68736007)(6436002)(5660300001)(66066001)(6506007)(14454004)(2950100002)(478600001)(3660700001)(33656002)(2906002)(229853002)(76176011)(7696005); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR14MB2193; H:BN7PR14MB2369.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: bcbsm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: +hWny0J5kVZIH23La1n5Xo+YMuIPylADAg+YZduahQgYoRLBC4shXd2DwGM95dIv+JY1fhfx0V7DOibrqCsFu+ReZVH6q6pIFhenMfIko7eHM9419Zwgc8uvn1nvYdJP4jxF4iD+7wF8DFRH/+NF2Fg9BBMrLZg6JUbBsUXXAHmLd6LovXAUG/1eUKcVXyyDKSwKZn63wIdZ/CtHuB0CVidggxoOn2BieExKuhlLygLymFh86J+ODPdLCAeMJaH5FCIktvLDwO93jEYUv3hD0tcvL5WlPAtwi46Kg4LYdj3j4uUGxvBMWNPMCY0YXv9mL77/bXrVydMKtxod8KBgdQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN7PR14MB23698A785363CC424A981A15D7D00BN7PR14MB2369namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 634c9f08-9adb-404e-a990-08d58abec42c
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2018 21:50:28.2005 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR14MB2193
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm01.z120.zixworks.com
X-VPM-GROUP-ID: 2d68ed5a-70f9-4eb8-8f29-1c21387ca2eb
X-VPM-MSG-ID: ebd81ba3-0f0e-4706-b501-67dcd199f74c
X-VPM-ENC-REGIME: Plaintext
X-VPM-IS-HYBRID: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wm0RFl2fu7NsIHvO9hNIDQ1AF18>
Subject: Re: [TLS] Breaking into TLS to protect customers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 21:50:37 -0000

Good point Yoav.

And this positive side effect holds true in the health care and insurance industries as well,  and is not an accident.  It is one of the primary reasons this monitoring is performed.

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Yoav Nir
Sent: Thursday, March 15, 2018 12:58 AM
To: Rich Salz <rsalz@akamai.com>;
Cc: tls@ietf.org
Subject: Re: [TLS] Breaking into TLS to protect customers

Hi, Rich.

You are conflating customers and users. The customer that may be protected by breaking TLS in a bank’s server farm is the bank itself. An IPS system with visibility into the traffic may detect bots that are there to steal data or mine cryptocurrencies or whatever.

If the customers of the bank are protected, it’s a happy side effect (collateral benefit?). The object is to protect the system integrity and the data.

Yoav


On 15 Mar 2018, at 5:29, Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>> wrote:

Some on this list have said that they need to break into TLS in order to protect customers.

The thing customers seem to need the most protection is having their personal data stolen.  It seems to happen with amazing and disappointing regularity on astounding scales.  Some examples include
·         retailer Target, presumably subject to PCI-DSS rules
·         Anthem health insurance, presumably a regulated industry
·         Equifax, a financial-business organization (but apparently not regulated)
·         Yahoo, a company created on and by and for the Internet (one would think they know better)
We could, of course, go on and on and on.

NONE of those organizations are using TLS 1.3.

So what kind of “protect the customer” requires breaking TLS?  And what benefits and increased protection will customers see?


_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.