Re: [Uta] Proposed definition of opportunistic encryption using TLS: draft-hoffman-uta-opportunistic-tls-00.txt

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

On 02/03/2014 12:13 PM, Alan Johnston wrote:
> But it's the "ignore any server failure" part that is the security
> reduction, and that is not OE by your definition but "unathenticated TLS"
> that you describe in the Appendix, right?
> 
> Here's a real example:  The EFF's HTTP Everywhere browser extension (
> https://www.eff.org/https-everywhere).  It finds HTTPS connections even
> when I just try to visit the HTTP site.  Does the browser displaying the
> padlock hurt anything?  How does this reduce security for the Internet?

https-everywhere (HTTPS-E) deliberately only includes rules for sites
which are believed to have a non-expired, valid X.509 certificate that
was issued by a member of the CA cartel, using standard https://, and
for which the content served over http is expected to match the content
served over https.  HTTPS-E also *enforces* HTTPS access, so if the web
servers for the sites flagged by HTTPS-E were to stop listening on port
443 or to stop negotiating TLS in the first place, (or an MiTM were to
make it look this way), the browser's connections to those sites would
break.

In these contexts, where the user is not vulnerable to an MiTM,
displaying a lock is reasonable, and is *not* what Paul is warning
against, if i understand the draft correctly.

Opportunistic encryption as declared by the draft is encryption that
*will* fail against an active attacker or MiTM.  It would be bad for the
'net if our tools were to indicate that MiTM-able connections are
"secure" using the same UI as non-MiTM-able connections.

	--dkg