brent timothy saner via plug on 10 Aug 2020 14:16:04 -0700
|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
- From: brent timothy saner via plug <plug@lists.phillylinux.org>
- To: Rich Freeman <r-plug@thefreemanclan.net>
- Subject: Re: [PLUG] news
- Date: Mon, 10 Aug 2020 17:15:50 -0400
- Autocrypt: addr=brent.saner@gmail.com; prefer-encrypt=mutual; keydata= mQINBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABtCtCcmVudCBUaW1v dGh5IFNhbmVyIDxicmVudC5zYW5lckBnbWFpbC5jb20+iQI8BBMBAgAmAhsDBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AFAlLzvnsCGQEACgkQjABML5NIH2vQHxAArz6yjoQqUPoOFBRF P6hXHcMegvh4vZ0xOcoU+7KyUyD2f5jYivQFSVYcRDr7hyHTs3iRr0HKN8dUUSyLkNCc+rd2 FwqftUF2JLqlqpJ4HDXw+5L2rw0+0voy7JpRNtoGlfkh32SHIbTmNwVIFm1yVg+xNk0RAvl8 /NnPzgi0IKgOJNcxicLpy0f0o/uWHKcm6uS8SBZL3col1Wuhwqt/VY7Nz0cCF7IrRNGyMMPF PMRq3A5144U81WQR94iGlpvWku/qnFAvC9NNTllCwFYpiuI2BkndlPO3YqOwcGbVTOO765la Qz9EQn9b9ipnPjOSp9HLhu53RoJyUWogBtijCzEgODYJuflPWoXG4ubB11wP2CRPZzj3KqFE cShAyNwE2bAtHwtqsksII3J46EEQDrHam/0D6F+jNMZK31E/ET9WcdzZhFRGaBd748dRcaoH BaHpviH+GtRZiWtrR0238Df05MtZPTlZi2t4icBIGVN4j0mcMbgVY/5CudLQGa7BSjnKR/uy hJI7ANOHCsIud6rIB9s5qly60bXjOZ4hG1iFIhUFC+zgrOYGZLbJgCaKd5sdBCWOsQwInD/X eWO+6p4bW0YIp0YXZA5+0Uo8EP4t+NzvfGhe19gy8hrJYZGSW1PJDvqvs+b5XO2j5Be6ec2Y 09Ta99U94SxWp3nXpKS5Ag0EUqbSaAEQAMIB/UpTre+NGzkvTmO6wnfQuzJKEEWnX2p/+eQF ZgDhObvwhvZr7C3I9wP3JnAP3LoJqrnmp78qE2v7snlSG1i66hqcj8Cw2EkBRLFsseva2uI5 B63RLrV0tTXN86nmHhw8qJ2GBu84Ddw7KtYoCRbq902eWsgWxRJVwAK+ip24tVVJxaR23nkO FwU+suYRDhiM9GLVj2waomgJK60dhxLOLZSRwJ0S1A2pu16GEx8USEoz7WNDJgx8PJPSzyH5 U7h9hXhpTEvS8nOV5G7YhksKBR6ECjmleCSehBaotVTAhXTfoh9fyCusMBwizLBoS8GmPUnv nUlvJzyAzu1KxnFzpwEk9ZBgLqWxzC/i4PZKrpqG7n5JqgEl0gg+7fn5Sdwq14Trg+djDGa5 c8n5hXEyszWTka53AhVCn8yq01zYNZoMDG6adYku/g3n5mBxKYuSoMkzuPRgihpsrhN/0RGY nJRDw5cpAjywWhTfFWGaAz6mDNhCV9daoqAoFjmIt9PAFeTrHj0XZXW7C53t4Qor9Nc5goh5 jlw7vv58CpdF0dPF6jLhDL2AYtplqwdPQr8+hj8WyFW8Rbj/OOj/z/JdDa6xCqfvh0udGLVa FDwQXZ1D4sqjwABhqdCppYb9TSq0TzR2LyZDnn/JZied2Q2LypPbsoGa3qd//w5W6NczABEB AAGJAh8EGAECAAkFAlKm0mgCGwwACgkQjABML5NIH2tCDBAAiMHQIKXCnm3XOcBuArJ8l0Yp W7q9KWF1YtmK+Jg+JqF8vTR7qvJ1djpVJVzCbL73bSrw24bLjHhcATuBsQxYPu2sSulcPB8n ri3ki/rWiWpNtjykKi6z56o+vDmbVH8UyA++zHQIaOx7tyKnh4w1F2i46132yMHLHFAdQkAl AJRMIQ6E0AKK9t61r+NJ0KT8g1h9PMcJkPWkGmQjT9eahLlO1H3kua0xCZ264CFUkpYo7t0I Y9BuRafzrqRqrYBJzEeDSd2dNz8u+jTF8RlHyaiePcTE9R1A41mK2vDCgWAbmXW8eruVz+Av zdXSNr6erccamRmeTIyJ5WpGeoA/ZeTDVSLzU2/i/PK2yI/8DTwWnt0iLC+8qvbz+E27/8i5 x5w3PosUjXzHQugBZO0xrBqti9rWV6u73zAE07EKaGfTm4Py3HRfysmFijcT0xpEeuilXM72 TixP75enqXN45ouwrapBcjAM3oxn+eVAagtzMUjXjHJBP5g5PHCRTuzakNzvFu1YNV9Oec8S O+hoQAuW6Wy5NfCN3Bg+KHPu/U6Lw9TcbFtCGOswMx9U2Thuj7FeULli5tj/kLahOOMO0N++ msHrJNNWa2ekU9GJ1NDCOGH0zYF4F5dxrdNxuOGzz6a0+5o1DBaWUEN0wAMceluJNnqv0qni AGmGDY9HHUM=
- Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:references:from:autocrypt:subject:message-id:date:user-agent :mime-version:in-reply-to; bh=FohMR7UZVB3ux/m1mg7rIRlm7FUaIXFjC60UwOCOFoM=; b=hPmAY76euHUATnGdbOxEXVf8nYxEm1arMWE1eZ/VjPkXT7ttctYUccHR0a6mi6P1T3 c2bJkkITZ8ouRcwTzoz61zAr2iXhaIKk8S4pv9UcfAxsv4zOg+wuypiivcjtaUHEARH9 LGnIkOXFhLAxeZFeVEC8Q7p4DJcVCksATYVZON6OB90LDlXfEab+hGByMh7IHrt3UgE0 jHO+Tmw4cmKiy71tgHVSJKAY2Akdu75UGQoxD7q11hXj7XUPgQf1R8Mi32UozbhXQlxc abenLRRow3OebW0LXt8l3txyT0Npzssqd2NTgYVuERe8lTdFAqvyjRSLT16BW+PcqW+b IaZA==
- Reply-to: brent timothy saner <brent.saner@gmail.com>
- Sender: "plug" <plug-bounces@lists.phillylinux.org>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
On 8/10/20 4:55 PM, Rich Freeman wrote:
> On Mon, Aug 10, 2020 at 4:14 PM brent timothy saner via plug
> <plug@lists.phillylinux.org> wrote:
>>
>> "Encrypt everything all the time" is generally not a good stance to take.
>>
>> Encrypt things that should be, like sensitive data? Absolutely. But
>> unquestioned enforced encryption is a generally bad idea because
>> encryption requires trust, which leads to either needing to verify every
>> single site or trusting a central authority. Which can then be a single
>> point of failure, technologically or politically.
>
> There is no attack that works on an "untrusted" (ie unauthenticated)
> encrypted connection that doesn't also work on an unencrypted
> connection. There are plenty of attacks that do work against
> unencrypted connections that fail against an unauthenticated encrypted
> connection.
You interestingly leave out authenticated encrypted connections, which
is convenient.
Step 1: "I have more trust (as a person/org) in this connection, because
it is encrypted and authenticated."
Step 2: Flaw/vulnerability in verification or encryption
Step 3: "I now trust (as a person/org) this fraudulent connection more
than other connections."
You've now granted more trust *value* to the compromised connection than
to the unencrypted connection.
>
> It makes zero sense to send stuff unencrypted. Even if you don't
> trust every certificate out there, you're more secure using encryption
> with an untrusted certificate, than you are not using encryption.
Tell that to reverse proxies to localhost, or debugging body payloads on
the wire, or VLAN'd load-balancing targets who want a single point of
TLS termination.
> Can somebody execute a MITM attack against an unauthenticated
> encrypted connection? Sure. However, they can't just passively
> evesdrop on the connection, which they can do with an unencrypted
> connection.
>
Which is my entire point, yes. As mentioned, you now have no option to
do that and place your entire trust chain in the hands of an external
party, unless you want to install your CA on all machines of your org.
Which is certainly a possibility, but the intranet is (should be) lower
risk than internet.
Attachment:
signature.asc
Description: OpenPGP digital signature
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
- References:
- [PLUG] news
- From: jeff via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
- From: Michael Lazin via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
- From: brent timothy saner via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
- From: Rich Freeman via plug <plug@lists.phillylinux.org>