W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Jacob Appelbaum <jacob@appelbaum.net>
Date: Fri, 4 Dec 2015 15:08:08 +0000
Message-ID: <CAFggDF2L1==CBMjrTxwsLYxNYaXjUReKOnqGGLc6VNokpZwNEQ@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
On 12/4/15, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> --------
> In message
> <CAFggDF3aDuf6iZqr+n9yvKFfVVjvyntRL=DmA7vmXLh626BOHw@mail.gmail.com>
> , Jacob Appelbaum writes:
>
>>> You cannot fix political problems with technological hacks
>>
>>Nor can you fix it with political cowardice and security nihilism!
>
> I don't think you can fairly accuse me of either ?

No, I explicitly do not. Others are clearly guilty of both and some of
what I've read on the list was pretty... ugh.

We've discussed this in person and I think that very clearly we agree
that it is a political question. I think we also agree that all of the
choices of architecture are also political in nature. We probably
don't fully agree on solutions and I completely respect your process
for considering the problem space. Others simply disavow any
responsibility or pretend that their embrace of the status quo rids
them of any responsibility for consequences. I don't really see you in
that camp, frankly.

>
>>As has already been said in the thread: The technological changes
>>bring the political problems into a visible space.
>
> Absolutely agree.

Yes, I thought we did largely agree.

> But SSL/TLS is just about the worst encryption you can bring to
> that fight, because it is *so* trivial and routine to MiTM that you
> can find the list-price for the necessary equipment on Google.

This is where we diverge, I suspect. None of that equipment is going
to work against PayPal or Google or even Tor Project's website when a
user uses a modern browser as those sites are TLS with cert pinning.

While many sites can be attacked - it requires a specific on-path
attacker with access to specific high cost cryptographic resources.
This is far less trivial than when the protocol is insecure by
default. It costs more to attack encrypted connections and it gives us
room to detect and in some cases to to stop attacks.

The design of a protocol that relies on an insecure transport is as
much of a political choice as the design of a protocol which relies on
a secure transport. The architecture of a system is also the
architecture of the politics of a system. I'm reminded of something I
read ages ago somewhere: "latent structure is master of obvious
structure."

>
> draft-thomson-http-encryption is a much better tool for civil
> disobedience:  It can be used with a thousand diverse key management
> schedules, including the only one we know to be intrinsicly secure
> from MiTM (PSK), and there is *no* way to trojan all of it.

If it isn't deployed by default, I think it won't be a better tool in
practice. If it isn't easy to use and widely deployed, it will only be
a small part of the conflict.

> Deploy *that* with good key-management tools[1] and the politicians
> will face the much more impalatable choice of "Block or Pass".

We can't choose a single tactic - we need to push on every front. We
will have various tactical wins and losses, those results will ripple
out into larger strategic outcomes.

> If they choose "pass" we won.
>
> If they choose "block" we get the population on our side pretty quick.

We may also disagree here - I think there is no winning, we just
change the cost of attacks for periods of time. A plantext protocol is
free to monitor, to attack and also it provides no effective detection
mechanism to those most impacted: our end users. This is completely
changed in Kazakhstan because of the methods the state has said that
they will use.

I'd bet that Kazakhstan will not actually carry out long term SSL/TLS
MITM attacks without incurring significant economic damage. The system
will likely have exceptions for special classes of people - especially
foreigners who travel on business. Even the "great" Chinese firewall
can be bypassed by buying a Deutsche Telekom SIM and using it while
roaming.

> Change the world with civil disobedience takes careful planning and
> execution.  Rosa Parks didn't just happen to be tired.

I'm in agreement. My civil disobedience is carefully planned and we're
having this discussion because there are many like me working in
similar directions. One of the key steps was to change the discussion
to understand that there is mass surveillance that is happening at
country scale. Another key step has been to build systems that provide
alternatives. Further steps are required, of course.

With all of that said - no one is forced to use TLS as other have
falsely claimed in the thread - they're all free to submit and hope
for mercy from the surveillance state. I'm not interested in that
path. We need strong defaults that enable people to make that choice.
Weak defaults do not give users a choice, they are tossed into to the
latent structure of the internet. If we make it secure by default,
*each person* can make the same choice to be *insecure* when they want
it. The majority of the world will be protected from the majority of
would-be-attackers when things are secure by default. It isn't perfect
but it changes things drastically.

> [1] I hessitate to use the word GPG and "good" in the same context,
> but there *is* a very large web of trust to leverage.

Ha! Poor GnuPG.

All the best,
Jacob
Received on Friday, 4 December 2015 15:08:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC