[Cryptography] IAB Statement on Internet Confidentiality

Jerry Leichter leichter at lrw.com
Mon Nov 17 23:18:13 EST 2014 

On Nov 17, 2014, at 7:31 PM, ianG <iang at iang.org> wrote:
>>> The approach is opportunistic.  Eg., for TCP, do a key exchange startup using the optional extensions capability.  If that works, use it for packets, if it doesn't, back off to unencrypted.
>> Given our recent experience with STARTTLS rollback by at least one ISP ... do we still feel so good about opportunistic encryption, at least defined in this way?
> Yes, definitely.  Before, we didn't know who the attacker was.  We just handed everything over on a plate.
> 
> Now he has to attack.  Now we know who the attacker is.  It's a dramatic step forward.
There seems to be unanimity in the response here, but I'm not sure I agree.  Note my "at least defined in this way".

The STARTTLS business involves two levels:  First, it allows anyone along the path to easily force a fall-back; second, that fall-back is essentially invisible unless someone happens to dig into details of logs.  The fall-back issue is pretty much inseparable from the whole notion of "opportunistic encryption", so one just has to live with it.  But the invisibility is something that can be dealt with - *if* you're willing to expand the range of stuff you include in a protocol definition.  Today, communications from the guts of the protocol to the user is binary:  Either you deliver a result, or you fail.  In fact, protocols have been broken when they attempted to deliver more detailed information, so the tendency has been to keep the communication channel extremely limited.

However, if you limit it this way, opportunistic encryption has no way to tell you that it's been blocked.  If no one notices attacks, the step forward looks much less dramatic, no?

Given the huge variety of protocols and protocol usage frameworks out there, it would be impossible to prescribe what kind of communications is appropriate.  But we could think about general frameworks and guidelines.  It's tricky, because any attempt to deliver the information in-line can be forged.  (E.g., if you try to add a "Delivered using STARTTLS" header, an attacker can disable STARTTLS, then add the header himself.)  But if you're going to say "this helps because it turns passive attacks into active attacks, and active attacks will be noticed" - you have to make sure they can be noticed.  By large numbers of people, in ordinary operation, not just by experts who happen to be looking for exactly such an attack.
                                                        -- Jerry

More information about the cryptography mailing list