Re: [saag] Is opportunistic unauthenticated encryption a waste of time?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Aug 22, 2014 at 08:11:38AM +0000, l.wood@xxxxxxxxxxxx wrote:

[ top-post rearranged ]

> Nico wrote:
>
> > On Fri, Aug 22, 2014 at 12:25 AM,  <l.wood@xxxxxxxxxxxx> wrote:
> >
> > > Okay, so with opportunistic security, all a man in the middle
> > > has to do is block any communications he can't decrypt, and it
> > > automatically downgrades to select something he can break?
> > >
> > > Ah, there's the opportunity. Got it.
> > 
> > Eh?  The idea is to be downgrade resistant.
> 
> no, it's at encyption above a baseline. assume mitm can't crack
> maximum level,,but can crack baseline and above. if maximum can't
> be negotiated because mitm prevents it , and less is settled for...
> well. may as well have fallen back to clear.

For the record:

OS is primarily about high level security mechanism selection
(cleartext, passive-only, active and passive protection).  The
draft says deliberately little about the fine details of crypto
handshakes, which may or may not support a range of ciphers and
will typically do exactly the same thing when used opportunistically
in an OS protocol as otherwise.

For example, I don't see TLS changing to become opportunistic.
Rather I see higher level application protocols that can employ
TLS using it opportunistically when previously they might have sent
in cleartext.  (Vocabulary point I try to keep straight, "plaintext"
is input to encryption, or output of decryption, while "cleartext"
is unecrypted content on the wire).

OS does not impact the active attacker's ability to tamper with
unathenticated communication.  However, OS encourages authentication:

   * Any currently protected traffic remains protected, OS does not
     trump existing policy that mandates comprehensive security.
     For example, opportunistic security for HTTP does not downgrade
     HTTPS, all it does is upgrade HTTP to resist passive and
     perhaps some day with some peers also active attacks.

   * OS suggests that it is a good idea to employ downgrade resistant
     mechanisms to discover which peers can be authenticated, and then
     authenticate those peers.

It used to be easy to dismiss opportunistic security as a waste of
time, it is now clear to most that it is not.

-- 
	Viktor.
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]