There is a hot lengthy ar­gu­ment go­ing on in the IETF’s TLS Work­ing Group which has been mak­ing me un­com­fort­able. It’s be­ing al­leged that there is an at­tempt to weak­en Web se­cu­ri­ty in a deep fun­da­men­tal way, which if true is ob­vi­ous­ly a Big Deal.

What’s an IETF TLS WG? · TLS is a broad term for the fam­i­ly of cryp­to and re­lat­ed se­cu­ri­ty pro­to­cols that make the Web se­cure. You may have no­ticed that more and more web ad­dress­es be­gin with “https:” rather than “http:”, which is a good and im­por­tant thing; TLS in ac­tion.

The stan­dards be­hind this good and im­por­tant thing are ham­mered out by the In­ter­net Engi­neer­ing Task Force’s (IETF’s) Trans­port Lev­el Se­cu­ri­ty (TLS) Work­ing Group (WG). They do their work in pub­lic and you can watch them.

Re­cent­ly, there has been a fe­ro­cious out­burst of con­tro­ver­sy, kicked off by a thing called Da­ta Cen­ter use of Stat­ic Diffie-Hellman in TLS 1.3. Some peo­ple say it’s a prac­ti­cal ex­ten­sion to let peo­ple who run da­ta cen­ters man­age their net­work traf­fic. Others say that it’s an at­tempt to build wire­tap­ping in­to the We­b.

I’ve been re­luc­tant to write about it be­cause I am not a cryp­to wiz­ard and don’t re­al­ly un­der­stand Diffie-Hellman well. For­tu­nate­ly, Stephen Check­oway, who is an ex­pert, wrote TLS 1.3 in en­ter­prise net­works, and I was pleased to dis­cov­er that he saw the pic­ture more or less the same way I do.

Clear­ly, this is a sub­ject on which rea­son­able peo­ple can dis­agree in good faith. But let me throw a lit­tle fu­el on the fire: I think that in fact some peo­ple and or­ga­ni­za­tions do want to add wire­tap­ping to the We­b, and in a way that would be over­ly dif­fi­cult to de­tect by peo­ple be­ing wire­tapped. I fur­ther think that there’s no ex­cuse for do­ing this, and agree with Checkoway’s take-away: “Yes, switch­ing to TLS 1.3 will pre­vent op­er­a­tors from do­ing pre­cise­ly what they’re do­ing to­day; how­ev­er, there is cur­rent­ly no need to switch. TLS 1.2 sup­ports their use­case and TLS 1.2, when used cor­rect­ly, is se­cure as far as we know. Of course the net­work op­er­a­tors won’t re­ceive the ben­e­fits of manda­to­ry for­ward se­cre­cy, but that is pre­cise­ly what they are ask­ing to give up in TLS 1.3.”

So, dear IETF TLS WG: It re­al­ly looks like you shouldn’t do this.

Fi­nal­ly (on a re­lat­ed but dis­tinct sub­jec­t) I’m a lit­tle wor­ried how easy it seems to be to in­tro­duce a wire­tap­ping ca­pa­bil­i­ty in­to TLS 1.3. But that’s all I’ll say on the sub­ject be­cause, as al­ready stat­ed, I’m not a cryp­to nerd.


Comment feed for ongoing:Comments feed

From: Tony Wuersch (Jul 27 2017, at 13:09)

I very much agree with Tim on this. It makes sense to me that there should both be a TLS 1.3 that requires PFS, and one for enterprise goals via TLS 1.2. Personally, I'm building a network now, and I want to audit Kerberos traffic, so I'll probably go the TLS 1.2 plus static Diffie-Hellman route. But I'm glad clients can identify TLS 1.3 with PFS if they want that.


author · Dad · software · colophon · rights
picture of the day
July 24, 2017
· Technology (81 fragments)
· · Internet (110 more)
· · Security (35 more)

By .

I am an employee
of, but
the opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.