[Cryptography] At what point should people not use TLS?

Tony Arcieri bascule at gmail.com
Thu Apr 7 01:58:01 EDT 2016


On Tue, Apr 5, 2016 at 8:00 PM, david wong <davidwong.crypto at gmail.com>
wrote:

> I know Moxie has given a lot of thoughts into TLS, and that Trevor is a
> legend, bla bla bla... but what about "crypto should be boring"? What about
> the peer-review and all the research done around TLS and its
> implementations?
>

I share some of your concerns. I posted to the CFRG list about them:

https://mailarchive.ietf.org/arch/search/?email_list=cfrg&gbt=1&index=VLyJIStoWay3xFKDa--Eahi8H3Y

I have also spent a lot of time discouraging people from homebrewing their
own transport encryption protocols and driving them towards TLS:

https://twitter.com/bascule/status/685307512459952128

All that said: I think you are being overly dramatic. Unlike most homebrew
transport encryption protocols, Noise isn't immediately and obviously
broken (at least to me). In fact, it has a number of similarities to the
proposed OPTLS key exchange protocol.

Analysis is a chicken-and-egg problem: nobody is going to bother analyzing
a protocol that nobody uses, so if you want people to analyze your
protocol, you have to deploy it to a wide audience to give them a reason to
care.

Noise covers a number of non-stream-oriented use cases which TLS (and also
DTLS) do not. In absence of a protocol that covers these use cases, there's
been a longstanding history of amateurs cobbling together their own
immediately and obviously broken transport encryption protocols,
particularly since popularization of NaCl has given them a sort of crypto
Dunning-Kruger[1] that because the primitives are safe(r), protocol design
is easy.

I say let's see where this goes. With over a billion users relying on it,
perhaps it will start drawing analysis organically.

(Note: I've been following Noise development for a number of years, so
maybe I'm biased)

[1]: Yes I know about the controversy surrounding Dunning-Kruger. No need
to point that out, let's keep it on topic please.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160406/7078edf4/attachment.html>


More information about the cryptography mailing list