There is a hot lengthy argument going on in the IETF’s TLS Working Group which has been making me uncomfortable. It’s being alleged that there is an attempt to weaken Web security in a deep fundamental way, which if true is obviously a Big Deal.
What’s an IETF TLS WG? · TLS is a broad term for the family of crypto and related security protocols that make the Web secure. You may have noticed that more and more web addresses begin with “https:” rather than “http:”, which is a good and important thing; TLS in action.
The standards behind this good and important thing are hammered out by the Internet Engineering Task Force’s (IETF’s) Transport Level Security (TLS) Working Group (WG). They do their work in public and you can watch them.
Recently, there has been a ferocious outburst of controversy, kicked off by a thing called Data Center use of Static Diffie-Hellman in TLS 1.3. Some people say it’s a practical extension to let people who run data centers manage their network traffic. Others say that it’s an attempt to build wiretapping into the Web.
I’ve been reluctant to write about it because I am not a crypto wizard and don’t really understand Diffie-Hellman well. Fortunately, Stephen Checkoway, who is an expert, wrote TLS 1.3 in enterprise networks, and I was pleased to discover that he saw the picture more or less the same way I do.
Clearly, this is a subject on which reasonable people can disagree in good faith. But let me throw a little fuel on the fire: I think that in fact some people and organizations do want to add wiretapping to the Web, and in a way that would be overly difficult to detect by people being wiretapped. I further think that there’s no excuse for doing this, and agree with Checkoway’s take-away: “Yes, switching to TLS 1.3 will prevent operators from doing precisely what they’re doing today; however, there is currently no need to switch. TLS 1.2 supports their usecase and TLS 1.2, when used correctly, is secure as far as we know. Of course the network operators won’t receive the benefits of mandatory forward secrecy, but that is precisely what they are asking to give up in TLS 1.3.”
So, dear IETF TLS WG: It really looks like you shouldn’t do this.
Finally (on a related but distinct subject) I’m a little worried how easy it seems to be to introduce a wiretapping capability into TLS 1.3. But that’s all I’ll say on the subject because, as already stated, I’m not a crypto nerd.
Contributions
Comment feed for ongoing:
From: Tony Wuersch (Jul 27 2017, at 13:09)
I very much agree with Tim on this. It makes sense to me that there should both be a TLS 1.3 that requires PFS, and one for enterprise goals via TLS 1.2. Personally, I'm building a network now, and I want to audit Kerberos traffic, so I'll probably go the TLS 1.2 plus static Diffie-Hellman route. But I'm glad clients can identify TLS 1.3 with PFS if they want that.
[link]