On Wed, Jul 19, 2017 at 7:48 AM, Watson Ladd <watsonbl...@gmail.com> wrote: > > On Jul 17, 2017 12:29 PM, "Roland Dobbins" <rdobb...@arbor.net> wrote: > > On 17 Jul 2017, at 21:11, Watson Ladd wrote: > > How do you detect unauthorized access separate from knowing what >> authorization is? >> > > I think we're talking at cross purposes, here. Can you clarify? > > > You said you need to look at packets to see unauthorized access. How do > you that access is unauthorized unless the authorization system is doing > the monitoring? >
Over the years I've met with businesses who have these kinds of set ups. The way it usually works is that the analysis is secondary and based on a suspicion of some kind. For example: if an employee is suspected of insider trading, or stealing proprietary data, then the administrators may take the extreme measure of inspecting all of their traffic. This is why many corporate environments have those "No expectation of privacy" disclaimers. Another example is where traffic to a set of suspicious destinations is subject to a higher level of scrutiny. For example, maybe traffic bound for well known file sharing services. I've never seen an environment with pervasive always-on monitoring; creating a trove of plaintext would be a net security negative, and organizations rarely have the resources it would take to keep or analyze all of it anyway. Yes, but you'll rot13 or rot 128 the file first. Why wouldn't you? >> > > Many don't. And being able to see rot(x) in the cryptostream has value. > > > As the IRA pointed out to the Prime Minister, she needed to get lucky > every time. > Where I come from, if you're quoting the IRA to support an argument, nobody takes you seriously. > The tools that network engineers and security personnel need analyze > network traffic. Logs are insufficient. > > They are, though it's a big change. I think we can do better than logs; a mechanism that's in TLS itself could be opt-in and user-aware, and so less likely to be abused in other situations. There's also some basic security model advantages to encrypting the PMS under a public-private key pair, and one that isn't using the private key that the servers themselves hold. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
