[Cryptography] IAB Statement on Internet Confidentiality

Ray Dillinger bear at sonic.net
Tue Nov 18 19:18:44 EST 2014

On 11/17/2014 02:38 PM, Viktor Dukhovni wrote:
> On Mon, Nov 17, 2014 at 02:57:31PM -0500, Jerry Leichter wrote:
>> Given our recent experience with STARTTLS rollback by at least
>> one ISP ... do we still feel so good about opportunistic encryption,
>> at least defined in this way?
> Yes, we feel good.  Opportunistic security is what you do when
> you'd otherwise send in the clear.  It is not weaker than cleartext.

This is true.  Additionally, MITM is not a risk-free passive attack.
Someone doing MITM must make an active attack on a channel
whose "legitimate" content is known to the parties at the endpoints.
Occasionally they will notice that there is a mismatch.  MITM risks
discovery and exposure in a way that someone passively listening
does not.

So even if MITM is feasible in some instances and in the short run,
it is not something that can be done at large scale without the
discovery and knowledge of the people whom it's being done to.

I think one of the biggest fallouts of opportunistic encryption
would be all the different "snoops" becoming more able to detect
each others' attacks.  I bet Chinese eavesdropping is going on in
hundreds of places in the US where the NSA would be intrigued
to find evidence of it, and I bet CIA eavesdropping is going on in
hundreds of places in China where the equivalent Chinese agencies
would be similarly intrigued to know.  The risks undertaken by these
agencies when operating MITM attacks in each others' territories are
not inconsiderable, and the consequences of detection are such that
the threat of discovery by each other is likely to reduce at least the
number of snoops operating and the frequency of snooping in the
affected areas.

There is some comedy to be played out there because the most
common means of detection that an MITM attack is in progress
would be having it interfere with one's own attempt to make an
MITM on the same channel.  But that never happens if both (or
all) parties are merely eavesdropping passively, so an MITM-able
protocol is definitely a step up from an eavesdroppable protocol.


More information about the cryptography mailing list