W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: A proposal

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 19 Nov 2013 15:10:23 +0000
Message-ID: <528B7F5F.1020406@cs.tcd.ie>
To: Albert Lunde <atlunde@panix.com>, HTTP Working Group <ietf-http-wg@w3.org>


On 11/19/2013 02:33 PM, Albert Lunde wrote:
> I'm not sure how "opportunistic encryption" of traffic without
> validation of server certificates would be defended against active
> man-in-middle attacks.

Opportunistic encryption that is vulnerable to mitm attacks
can still be valuable.

It turns what can otherwise be a passive attack into a
requirement to mount an active attack.

Active attacks are more expensive to mount, and much more
expensive to do at v. large scale, and perhaps more importantly
can be detected in some cases, e.g. via later comparisons
of session keys used. If pervasive active attacks were to be
attempted, then those could probably be detected via some
kind of observatory. Passively tapping a fibre and snarfing
plaintext is essentially not detectable and apparently is
not too expensive for some. And is liable to get cheaper
and become more common for more attackers now that the
world knows all about it.

Having said that, for the web, server-authenticated TLS
is better if it we can get it closer to ubiquitous, which
is the current plan.

But one could make a reasonable argument though that
there is a smaller barrier facing the introduction of
non-server-auth or opportunistic TLS, due to not having to
deal with CAs.

TLS has also supported anonymous diffie-hellman key
exchange since way back and that is apparently relatively
widely implemented at least in libraries. I'm not sure
about web servers or browsers, nor about how good the
interop situation is though. Those ciphersuites already
provide the kind of opportunistic encryption we're talking
about here, for example TLS_DH_anon_WITH_AES_128_GCM_SHA256,
though again, I don't know if that specific one is readily
available today or not, and that is different from the
draft that Mark wrote about opportunistic encryption for
HTTP before Vancouver.

So if the httpbis wg do want to explore that avenue then
that would be reasonable and has real benefits and there
are sensible ways to go about the work.

S.
Received on Tuesday, 19 November 2013 15:10:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC