Re: Mandatory encryption *is* theater

Hi Eliot.

Your message implies that the choice is between cleartext HTTP and an annual fee to a certificate vendor.

IETF standards provide at least two other options:

DANE allows you to use a self-issued certificate and register the key in the DNS. This is not implemented in the many thousands of small devices that you mention, or in any browser, but then neither is HTTP/2. There is a deployment issue in that publishing a random RR is a non-trivial process. For example, [1] makes no mention of how to generate TLSA records, and GoDaddy (largest registrar in the world) has nothing about it in their support. But all that could change.

TLS as anonymous ciphersuites that do not require a certificate at all. True, these ciphersuites do not protect against on-path attacks, but they do stop passive listeners, and there is some value in that. Not enough to call it "HTTPS", but it is better than nothing. And the application can still use some channel binding to discover the MitM, such as Trevor's Smart Cookie proposal where the cookie (which is a secret shared by client and server) is bound to the current master secret ([3]). Even without this, defeating passive listeners is a worthy goal.

Yoav

[1] http://www.thesitewizard.com/archive/registerdomain.shtml
[2] http://support.godaddy.com/search/all/TLSA/
[3] http://www.ietf.org/mail-archive/web/websec/current/msg01729.html

On Aug 25, 2013, at 9:16 AM, Eliot Lear <lear@cisco.com> wrote:

> Mark,
> 
> Regarding the minutes of the group, the working group declined to
> mandate encryption for a number of reasons, not just back end services. 
> What I said the last time, was that we can damage overall Internet
> security by inuring people to certificate warnings – or we will inhibit
> adoption of HTTP2 – unless the mechanisms to manage certificates
> improve.  In addition many thousands of small devices exist without a
> simple means to enroll – and pay.  Even if they do enroll – and pay, the
> current certificate mechanisms require that they re-enroll - and pay. 
> And so they don't.  There simply is no magic bullet.  The economics are
> clear.  The means to encrypt has existed nearly two decades.   Mandating
> encryption from the IETF has been tried before – specifically with IPv6
> and IPsec.  If anything, that mandate may have acted as an inhibitor to
> IPv6 implementations and deployment and served as a point of ridicule.
> 
> And so, I do not agree with those who hummed in favor of mandatory
> encryption.  HTTP2 is already very complex and is biting off enough. 
> The more it bites off the less likelihood of broad adoption.  We've seen
> this movie before.  What we will have instead of HTTP/2 will be an
> optional alternative to HTTP/1.1 that is deployed by large scale high
> performance services.  Maybe that was always the goal, but if so, let's
> recognize that and relabel.  I was under a different impression.
> 
> If we wish to explore new means to authenticate endpoints, that would be
> a better starting point.
> 
> Eliot
> 
> 
> Email secured by Check Point

Received on Sunday, 25 August 2013 07:34:00 UTC