Re: SSL/TLS everywhere fail

--------
In message <CAFggDF2L1==CBMjrTxwsLYxNYaXjUReKOnqGGLc6VNokpZwNEQ@mail.gmail.com>
, Jacob Appelbaum writes:

>> But SSL/TLS is just about the worst encryption you can bring to
>> that fight, because it is *so* trivial and routine to MiTM that you
>> can find the list-price for the necessary equipment on Google.
>
>This is where we diverge, I suspect. None of that equipment is going
>to work against PayPal or Google or even Tor Project's website when a
>user uses a modern browser as those sites are TLS with cert pinning.

You're right.

PayPal, Google and the Tor Project will probably just stop working
in Kazakstan, and either they decide to follow the duly enacted
and valid laws of that country, or they will not be doing business
there.

For Kazakstan they *might* be able to shrug, although the track-record
indicates that the first two tend to follow local laws.

I have no idea what the Tor project will do, but fortunately the
human rights activists I know about has a fallback.

But have you followed the political discourse in UK recently ?

Will PayPal, Google and the Tor Project be able to shrug it off
when the UK government makes a similar move ?

>While many sites can be attacked - it requires a specific on-path
>attacker with access to specific high cost cryptographic resources.

Dude, it's not high cost.  Kazakstan probably didn't even pay a
million dollars for their kit.

>> Deploy *that* with good key-management tools[1] and the politicians
>> will face the much more impalatable choice of "Block or Pass".
>
>We can't choose a single tactic [...]

That response is a little bit ironic, coming from one of the loudest
"TLS everywhere" advocates...

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Saturday, 5 December 2015 00:21:12 UTC