W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 6 Dec 2015 19:47:17 +1300
To: ietf-http-wg@w3.org
Message-ID: <5663D9F5.7020409@treenet.co.nz>
On 6/12/2015 11:59 a.m., Jacob Appelbaum wrote:
> On 12/5/15, Poul-Henning Kamp wrote:
>> --------
>> Jacob Appelbaum writes:
>>
>>>> And that is *exactly* why people should have thought "Hang on, If
>>>> TLS-everywhere is easly defeated by COTS products..."
>>>
>>> The model here is a bit strange. HTTP withou TLS is also easily
>>> defeated. There is a cost here that is higher for the adversary and
>>> that includes a political one: detection.
>>
>> Jacob, that's a false dictomy and you know it well.
> 
> Not exactly. We have started with unencrypted connections that lack
> confidentiality, integrity and authenticity. Moving to TLS gives us
> all three with a computational cost and within certain boundaries.

The tired old argument against "TLS-everywhere" is that TLS does *not*
offer all three of those.

* TLS does not offer confidentiality. TLS MiTM is commonplace now. It
has even reached the point where traffic metadata can be recorded and
correlated without decrypting the content of the stream.

* TLS does not offer integrity. TLS MiTM can corrupt the messages inside
encrypted streams just as easily as thay can for un-encrypted traffic.

When used with 2-way certificate verification TLS can offer
authenticity. But that is still a rare situation to actually see
implemented. Instead we see all sorts of half-measures (eg. HSTS, cert
pinning)

The benfits of TLS only occur when it is used properly in the situations
where it is the best tool. The "TLS everywhere" drive with its over
hyped arguments (and outright lies at times) is seriously undermining
those benefits by pushing it out into every possible connection no
matter how unsuitable TLS is for the use-case or broken the implementation.

The push back against "TLS everywhere" is attempting to ensure that
those privacy/confidentiality and security/integrity/authentication
goals can actually be *achieved*, instead of undermined by a rushed and
broken rollout that leaves the whole world in a worse place than
un-encrypted rollout did.

Lets slow down the hype train and do it *right*.


> Some object to confidentiality, others to integrity and so on. A lack
> of action on this has ensured that some protocols stay unencrypted -
> an explicit goal of some of the bad actors who are present as agents
> of influence in this (and other!) standards body.

Please do not equate TLS with encryption. Encryption is much bigger than
TLS. A fact that the "TLS everywhere" fanatics are constantly shouting
out with their insistence that anyone doing encryption in non-TLS
settings is Bad Thing.

(I know you are not thinking of protocols like DNSSEC, VPN, or VPE as
unencrypted, but the implication is there.)

Amos
Received on Sunday, 6 December 2015 06:48:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC