On Fri, Jul 14, 2017 at 11:12 PM, Daniel Kahn Gillmor <d...@fifthhorseman.net > wrote:
> * This proposed TLS variant is *never* acceptable for use on the public > Internet. At most it's acceptable only between two endpoints within > a datacenter under a single zone of administrative control. > > * Forward secrecy is in general a valuable property for encrypted > communications in transit. > If there's anyone on the list who disagrees with the above two > statements, please speak up! > I agree with the second statement, but I don't really follow the logic of the first. On the public internet, it's increasingly common for traffic to be MITMd in the form of a CDN. Many commenters here have also responded "Just use proxies". I don't get how that's better. A proxy sees all of the plaintext, not just selected amounts. All of the same coercion and compromise risks apply to a proxy too, but since it undetectably sees everything, that would seem objectively worse from a security/privacy risk POV. Or put another way: if these organizations need to occasionally inspect plaintext, would I prefer that it's the kind of system where they have to go pull a key from a store, and decrypt specific ciphertexts on demand offline, or do I want them recording plaintext *all* of the time inline? It seems utterly bizarre that we would collectively favor the latter. We end up recommending the kinds of systems that are an attacker's dream. Here's what I'd prefer: * Don't allow static DH. In fact, forbid it, and recommend that clients check for changing DH params. * For the pcap-folks, define an extension that exports the session key or PMS, encrypted under another key. Make this part of the post-handshake transcript. * pcap-folks can do what they want, but clients will know and can issue security warnings if they desire. Forbiding static DH enforces this mechanism, and we can collectively land in a better place than we are today. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
