Re: [Uta] Proposed definition of opportunistic encryption using TLS: draft-hoffman-uta-opportunistic-tls-00.txt

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

On 02/03/2014 04:32 PM, Paul Hoffman wrote:
> On Feb 3, 2014, at 9:29 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> 
>> Opportunistic encryption as declared by the draft is encryption that
>> *will* fail against an active attacker or MiTM.  
> 
> Nope. Opportunistic encryption using TLS, as it is defined in the -00 draft, will work just fine with an MITM.

I think i wasn't clear enough about what i meant by "fail".  Thanks for
catching that.

By "fail" i meant "not protect the user's confidentiality or
authenticity".  I did not mean "cause the connection to fail".

My understanding is that an active attacker who interrupts or MiTMs an
opportunistic encryption will likely be able to succeed at reading the
content of the communication, whether it's because the peers are willing
to proceed without authentication, or because the peers are willing to
fall back to cleartext.

>> It would be bad for the
>> 'net if our tools were to indicate that MiTM-able connections are
>> "secure" using the same UI as non-MiTM-able connections.
> 
> That's true, but it is also different than "failing".

Right, and i think your specification declares this properly.

> If the WG adopts the draft and wants to change the definition, of course it can. But the current definition absolutely allows the opportunistic client to ignore the server's authentication information in order to help prevent a passive snooper from seeing the traffic.

Sure, i'm agreeing with you about this, i think.  I don't think i
proposed a change in the definition.  if you think we're in
disagreement, can you clarify where?

	--dkg