IETF Logo Mail Archive

Re: [Uta] Proposed definition of opportunistic encryption using TLS: draft-hoffman-uta-opportunistic-tls-00.txt

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 03 February 2014 21:32 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B4841A0210 for <uta@ietfa.amsl.com>; Mon, 3 Feb 2014 13:32:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgqW7hWX4Nri for <uta@ietfa.amsl.com>; Mon, 3 Feb 2014 13:32:34 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 9F5211A01EE for <uta@ietf.org>; Mon, 3 Feb 2014 13:32:34 -0800 (PST)
Received: from [10.20.30.90] (50-1-98-67.dsl.dynamic.sonic.net [50.1.98.67]) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id s13LCUuN008024 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 3 Feb 2014 14:12:31 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-67.dsl.dynamic.sonic.net [50.1.98.67] claimed to be [10.20.30.90]
Content-Type: multipart/signed; boundary="Apple-Mail=_88D00597-48DF-4610-A153-145577E9DCBE"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <52EFD1E4.6020200@fifthhorseman.net>
Date: Mon, 03 Feb 2014 13:32:17 -0800
Message-Id: <D8FACB55-C706-4886-9485-2A84EB90CB26@vpnc.org>
References: <20140203045910.9714.53880.idtracker@ietfa.amsl.com> <B8691415-07F3-4081-8247-E103A60E5CF0@vpnc.org> <700ECF7E-253E-4CCC-BD73-6008216E5429@edvina.net> <CAKhHsXFmbc_CxPHSfzji-J7mJTUh4MOfwVFjnOdk-B+bA9miqA@mail.gmail.com> <D9374419-5EFE-455D-B348-F2698001BDF6@vpnc.org> <CAKhHsXHvme7-26MFHwsdvR-osqhy4L1dk6gZve9YR5jPduNi1A@mail.gmail.com> <52EFD1E4.6020200@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: Apple Mail (2.1827)
Cc: uta@ietf.org
Subject: Re: [Uta] Proposed definition of opportunistic encryption using TLS: draft-hoffman-uta-opportunistic-tls-00.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 21:32:35 -0000

On Feb 3, 2014, at 9:29 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> Opportunistic encryption as declared by the draft is encryption that
> *will* fail against an active attacker or MiTM.  

Nope. Opportunistic encryption using TLS, as it is defined in the -00 draft, will work just fine with an MITM.

The second paragraph of Section 2 is:

   When an application that supports opportunistic encryption negotiates
   TLS, that application might or might not authenticate the TLS server.
   It is expected that the common case is that applications that
   supports opportunistic encryption will not authenticate the TLS
   servers they connect to.  However, it is acceptable for an
   application that supports opportunistic encryption to only complete
   the TLS negotiation if the TLS server can be validated.

So, it *might* fail against an active attacker or an MITM, but only if the application does what is described in the third sentence. The large expectation is that developers will do what it says in the second sentence, namely continue without authentication.

> It would be bad for the
> 'net if our tools were to indicate that MiTM-able connections are
> "secure" using the same UI as non-MiTM-able connections.

That's true, but it is also different than "failing".

If the WG adopts the draft and wants to change the definition, of course it can. But the current definition absolutely allows the opportunistic client to ignore the server's authentication information in order to help prevent a passive snooper from seeing the traffic.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email