Re: [Uta] opportunistic keying / encryption considered of dubious value

[Yan Zhu <yan@eff.org>]

On 03/16/2014 07:23 AM, Keith Moore wrote:
> On 03/16/2014 10:01 AM, Leif Johansson wrote:
> 
>> I think that the point of the exercise: dramatically increase the cost
>> of pervasive attacks on the system so that a real cost/benefit analysis
>> has to be made before investing in them.
> I would define it slightly differently - whenever possible, raise the
> cost of attacks on network protocols to the point that they can only be
> justified if narrowly targeted.    That's a higher bar than merely
> requiring a cost/benefit analysis.
> 
> (of course, that merely means that more pervasive attacks will target
> operators' servers where the information will generally still be
> available in cleartext.   still, that seems like an improvement.)
> 

I agree that zero cleartext is an improvement; however, I fear that
sanctioning opportunistic encryption (OE) will hinder our long-term goal
of getting every server to use real TLS with key pinning, certificate
transparency, etc.

In other words, if lazy sysadmins get the impression that OE is "good
enough", they'll have even less motivation than they do now to deploy
authenticated TLS, which is the minimum level of security that we should
be asking for, given the scale of active MITM attack infrastructure that
NSA has allegedly been developing (ex:
https://www.eff.org/deeplinks/2014/03/new-nsa-slides-reveal-tailored-access-run-amok).

As a side note, I think some folks in this discussion may be
exaggerating the cost of active MITM attacks in a world with OE,
compared to the cost of passively collecting traffic. The cost
difference may be prohibitive to someone on their laptop sniffing
traffic at a coffeeshop, but it's unlikely to force ISPs and government
spy agencies to move to "narrowly targeted" surveillance; they can
easily MITM every OE connection or force a downgrade.

A security engineer for a large browser vendor who has more perspective
than I do on this particular issue wishes to anonymously contribute the
following argument:

"""
OO: Opportunistic Obfuscation. I won't honor unauthenticated encraption
with the name "encryption".

Many site operators are looking for any reason at all to not do any work
to authenticate or otherwise secure their services. The stronger the "OO
is OK" view is presented, the more they will tend to believe that when
HTTP2 rolls out, the less work they will have to do. "OO is Better Than
Nothing," they'll say. "That should be good enough for our users." It is
not. OO would slow the adoption of real security.

There is a range of options on the continuum between passive and active
attack, at varying cost levels. Meditate on the Snowden documents,
especially the QUANTUM stuff. And in any case, attacks always get better
(cheaper, more powerful), never worse. Even if OO were sufficient now
(it's not), it would not suffice next year.

Our reasonable fear is that states have compromised CAs, making
fully-authenticated, real HTTPS ineffective or less effective. (Hence
PKP, TACK, and CT.) The idea that OO is enough to stymie the most
powerful militaries in the world does not pass the giggle test.
"""