A higher-level view on this issue. TLS has been designed as a protocol that allows two entities to communicate securely over a network controlled by an adversary, including abusive authorities.
“But we (the (network) authorities) are the good guys, and we need to break the guarantees TLS provides so we can catch criminals – and here is how we propose to break TLS-1.3”. Considering that unless at least one of the end-points chooses to comply with the “rules” it will not work – the claim that this measure is to help the good guys does not sound very candid. Who is the intended target of this mechanism? What kind of criminals is it supposed to catch/detect? Surely not the malware that penetrated your infrastructure and tries to “call home”? History shows that criminals violate laws, regulations, and even network protocols (:-) – that’s why they called criminals. Criminals also proved capable of creating quite sophisticated malware. The proponents of the “broken TLS” somehow expect that those criminals would use weakened crypto for the convenience of the network police. How much sense does this make? Experience shows that criminals use not just cutting edge – bleeding edge crypto. For example, consider Confiker. Plus, there are many ways to foil this proposed mechanism – for example, super-encrypting the data before transmission. Then there’s an issue of the abuses. First, not all of the “legitimate” authorities are “good guys” (all the time :). Second, I’m not aware of any “network security” tool that hasn’t been subverted at some point in time. The likely result of the “static-dh-…” proposal is improved mass surveillance by authorities, and exploits of this mechanism by the organized crime. To those who need that surveillance: stay with TLS-1.2. An important goal of TLS-1.3 is preventing the possibility of this surveillance. To everybody: you can’t have your cake and eat it too. Either you have PFS and the bad guys will benefit from it too (so you need to detect and fight them using other methods), or only the bad guys have PFS and you might [0] detect them because their “protection quality” stands out amidst the ocean of the automatically-inspected & censored traffic. [0] “Might” rather than “would”. Because there are well-known ways of hiding the presence of encryption, at the cost of increase of the ciphertext size. The hope that the encrypted traffic would stand out is unfounded. Considering how fast the attack sophistication is evolving, the likelihood that “they” would employ other countermeasures, but ignore this one is fairly low. -- Regards, Uri _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
