Re: [Uta] opportunistic keying / encryption considered of dubious value
Yan Zhu <yan@eff.org> Sun, 16 March 2014 22:35 UTC
Return-Path: <yan@eff.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51F8B1A0323 for <uta@ietfa.amsl.com>; Sun, 16 Mar 2014 15:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nghT-4pwtN5x for <uta@ietfa.amsl.com>; Sun, 16 Mar 2014 15:35:20 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) by ietfa.amsl.com (Postfix) with ESMTP id 8A5B21A01A0 for <uta@ietf.org>; Sun, 16 Mar 2014 15:35:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=TDDDZG3u8wVR6ZKNiNzoMByRx8qmVu4Ia3gLpcstDMQ=; b=A2bjqBd2gXT7NZ2lwtAP7UgpJMIHxHvt4d0+4+qY3NKEioGHY7T4TNTK8Pa0ej8ckHMvUki39h3Sw2VMQT93VU6ezPP7q+vx14bQ4w0VGbhG98oSOdJkEIll97ZrWtyRUrykbDUkQ8F+i0PiDEOnysR9GG0QMz2ZHOQwHy0G5dA=;
Received: ; Sun, 16 Mar 2014 15:35:10 -0700
Message-ID: <5326271D.40107@eff.org>
Date: Sun, 16 Mar 2014 15:35:09 -0700
From: Yan Zhu <yan@eff.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10
MIME-Version: 1.0
To: Keith Moore <moore@network-heretics.com>
References: <53249D4E.2080104@network-heretics.com> <5324ECFC.2050004@akr.io> <53256D07.7020005@network-heretics.com> <5325AEB2.9070804@mnt.se> <5325B3E7.3060508@network-heretics.com>
In-Reply-To: <5325B3E7.3060508@network-heretics.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/Mot5y75QBJhN--2yfLvq5OM3Gnc
Cc: uta@ietf.org, Leif Johansson <leifj@mnt.se>
Subject: Re: [Uta] opportunistic keying / encryption considered of dubious value
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 22:35:23 -0000
On 03/16/2014 07:23 AM, Keith Moore wrote: > On 03/16/2014 10:01 AM, Leif Johansson wrote: > >> I think that the point of the exercise: dramatically increase the cost >> of pervasive attacks on the system so that a real cost/benefit analysis >> has to be made before investing in them. > I would define it slightly differently - whenever possible, raise the > cost of attacks on network protocols to the point that they can only be > justified if narrowly targeted. That's a higher bar than merely > requiring a cost/benefit analysis. > > (of course, that merely means that more pervasive attacks will target > operators' servers where the information will generally still be > available in cleartext. still, that seems like an improvement.) > I agree that zero cleartext is an improvement; however, I fear that sanctioning opportunistic encryption (OE) will hinder our long-term goal of getting every server to use real TLS with key pinning, certificate transparency, etc. In other words, if lazy sysadmins get the impression that OE is "good enough", they'll have even less motivation than they do now to deploy authenticated TLS, which is the minimum level of security that we should be asking for, given the scale of active MITM attack infrastructure that NSA has allegedly been developing (ex: https://www.eff.org/deeplinks/2014/03/new-nsa-slides-reveal-tailored-access-run-amok). As a side note, I think some folks in this discussion may be exaggerating the cost of active MITM attacks in a world with OE, compared to the cost of passively collecting traffic. The cost difference may be prohibitive to someone on their laptop sniffing traffic at a coffeeshop, but it's unlikely to force ISPs and government spy agencies to move to "narrowly targeted" surveillance; they can easily MITM every OE connection or force a downgrade. A security engineer for a large browser vendor who has more perspective than I do on this particular issue wishes to anonymously contribute the following argument: """ OO: Opportunistic Obfuscation. I won't honor unauthenticated encraption with the name "encryption". Many site operators are looking for any reason at all to not do any work to authenticate or otherwise secure their services. The stronger the "OO is OK" view is presented, the more they will tend to believe that when HTTP2 rolls out, the less work they will have to do. "OO is Better Than Nothing," they'll say. "That should be good enough for our users." It is not. OO would slow the adoption of real security. There is a range of options on the continuum between passive and active attack, at varying cost levels. Meditate on the Snowden documents, especially the QUANTUM stuff. And in any case, attacks always get better (cheaper, more powerful), never worse. Even if OO were sufficient now (it's not), it would not suffice next year. Our reasonable fear is that states have compromised CAs, making fully-authenticated, real HTTPS ineffective or less effective. (Hence PKP, TACK, and CT.) The idea that OO is enough to stymie the most powerful militaries in the world does not pass the giggle test. """
- [Uta] opportunistic keying / encryption considere… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Watson Ladd
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Paul Hoffman
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Michael Richardson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Michael Richardson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Yan Zhu
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Olle E. Johansson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Leif Johansson
- Re: [Uta] opportunistic keying / encryption consi… Alan Johnston
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Yan Zhu
- Re: [Uta] opportunistic keying / encryption consi… Daniel Kahn Gillmor
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Michael Richardson
- [Uta] getting back to UTA and injecting clue (was… Eliot Lear
- Re: [Uta] opportunistic keying / encryption consi… Salz, Rich
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Olle E. Johansson
- Re: [Uta] opportunistic keying / encryption consi… Daniel Kahn Gillmor
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Alyssa Rowan
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] getting back to UTA and injecting clue Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] getting back to UTA and injecting clue … Olle E. Johansson
- Re: [Uta] opportunistic keying / encryption consi… Keith Moore
- Re: [Uta] opportunistic keying / encryption consi… Orit Levin (LCA)
- Re: [Uta] opportunistic keying / encryption consi… Rick Andrews
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Trevor Perrin
- Re: [Uta] opportunistic keying / encryption consi… Stephen Farrell
- Re: [Uta] opportunistic keying / encryption consi… Trevor Perrin
- Re: [Uta] opportunistic keying / encryption consi… Watson Ladd
- Re: [Uta] opportunistic keying / encryption consi… Christian Huitema
- Re: [Uta] opportunistic keying / encryption consi… t.p.
- Re: [Uta] opportunistic keying / encryption consi… Adam Langley
- Re: [Uta] opportunistic keying / encryption consi… t.p.
- Re: [Uta] getting back to UTA and injecting clue Peter Saint-Andre
- Re: [Uta] getting back to UTA and injecting clue Peter Saint-Andre
- Re: [Uta] getting back to UTA and injecting clue Alexey Melnikov
- Re: [Uta] getting back to UTA and injecting clue Leif Johansson