Re: [PLUG] news

brent timothy saner via plug on 11 Aug 2020 10:19:18 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] news

From: brent timothy saner via plug <plug@lists.phillylinux.org>
To: Rich Freeman <r-plug@thefreemanclan.net>
Subject: Re: [PLUG] news
Date: Tue, 11 Aug 2020 13:18:46 -0400
Autocrypt: addr=brent.saner@gmail.com; prefer-encrypt=mutual; keydata= mQINBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABtCtCcmVudCBUaW1v dGh5IFNhbmVyIDxicmVudC5zYW5lckBnbWFpbC5jb20+iQI8BBMBAgAmAhsDBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AFAlLzvnsCGQEACgkQjABML5NIH2vQHxAArz6yjoQqUPoOFBRF P6hXHcMegvh4vZ0xOcoU+7KyUyD2f5jYivQFSVYcRDr7hyHTs3iRr0HKN8dUUSyLkNCc+rd2 FwqftUF2JLqlqpJ4HDXw+5L2rw0+0voy7JpRNtoGlfkh32SHIbTmNwVIFm1yVg+xNk0RAvl8 /NnPzgi0IKgOJNcxicLpy0f0o/uWHKcm6uS8SBZL3col1Wuhwqt/VY7Nz0cCF7IrRNGyMMPF PMRq3A5144U81WQR94iGlpvWku/qnFAvC9NNTllCwFYpiuI2BkndlPO3YqOwcGbVTOO765la Qz9EQn9b9ipnPjOSp9HLhu53RoJyUWogBtijCzEgODYJuflPWoXG4ubB11wP2CRPZzj3KqFE cShAyNwE2bAtHwtqsksII3J46EEQDrHam/0D6F+jNMZK31E/ET9WcdzZhFRGaBd748dRcaoH BaHpviH+GtRZiWtrR0238Df05MtZPTlZi2t4icBIGVN4j0mcMbgVY/5CudLQGa7BSjnKR/uy hJI7ANOHCsIud6rIB9s5qly60bXjOZ4hG1iFIhUFC+zgrOYGZLbJgCaKd5sdBCWOsQwInD/X eWO+6p4bW0YIp0YXZA5+0Uo8EP4t+NzvfGhe19gy8hrJYZGSW1PJDvqvs+b5XO2j5Be6ec2Y 09Ta99U94SxWp3nXpKS5Ag0EUqbSaAEQAMIB/UpTre+NGzkvTmO6wnfQuzJKEEWnX2p/+eQF ZgDhObvwhvZr7C3I9wP3JnAP3LoJqrnmp78qE2v7snlSG1i66hqcj8Cw2EkBRLFsseva2uI5 B63RLrV0tTXN86nmHhw8qJ2GBu84Ddw7KtYoCRbq902eWsgWxRJVwAK+ip24tVVJxaR23nkO FwU+suYRDhiM9GLVj2waomgJK60dhxLOLZSRwJ0S1A2pu16GEx8USEoz7WNDJgx8PJPSzyH5 U7h9hXhpTEvS8nOV5G7YhksKBR6ECjmleCSehBaotVTAhXTfoh9fyCusMBwizLBoS8GmPUnv nUlvJzyAzu1KxnFzpwEk9ZBgLqWxzC/i4PZKrpqG7n5JqgEl0gg+7fn5Sdwq14Trg+djDGa5 c8n5hXEyszWTka53AhVCn8yq01zYNZoMDG6adYku/g3n5mBxKYuSoMkzuPRgihpsrhN/0RGY nJRDw5cpAjywWhTfFWGaAz6mDNhCV9daoqAoFjmIt9PAFeTrHj0XZXW7C53t4Qor9Nc5goh5 jlw7vv58CpdF0dPF6jLhDL2AYtplqwdPQr8+hj8WyFW8Rbj/OOj/z/JdDa6xCqfvh0udGLVa FDwQXZ1D4sqjwABhqdCppYb9TSq0TzR2LyZDnn/JZied2Q2LypPbsoGa3qd//w5W6NczABEB AAGJAh8EGAECAAkFAlKm0mgCGwwACgkQjABML5NIH2tCDBAAiMHQIKXCnm3XOcBuArJ8l0Yp W7q9KWF1YtmK+Jg+JqF8vTR7qvJ1djpVJVzCbL73bSrw24bLjHhcATuBsQxYPu2sSulcPB8n ri3ki/rWiWpNtjykKi6z56o+vDmbVH8UyA++zHQIaOx7tyKnh4w1F2i46132yMHLHFAdQkAl AJRMIQ6E0AKK9t61r+NJ0KT8g1h9PMcJkPWkGmQjT9eahLlO1H3kua0xCZ264CFUkpYo7t0I Y9BuRafzrqRqrYBJzEeDSd2dNz8u+jTF8RlHyaiePcTE9R1A41mK2vDCgWAbmXW8eruVz+Av zdXSNr6erccamRmeTIyJ5WpGeoA/ZeTDVSLzU2/i/PK2yI/8DTwWnt0iLC+8qvbz+E27/8i5 x5w3PosUjXzHQugBZO0xrBqti9rWV6u73zAE07EKaGfTm4Py3HRfysmFijcT0xpEeuilXM72 TixP75enqXN45ouwrapBcjAM3oxn+eVAagtzMUjXjHJBP5g5PHCRTuzakNzvFu1YNV9Oec8S O+hoQAuW6Wy5NfCN3Bg+KHPu/U6Lw9TcbFtCGOswMx9U2Thuj7FeULli5tj/kLahOOMO0N++ msHrJNNWa2ekU9GJ1NDCOGH0zYF4F5dxrdNxuOGzz6a0+5o1DBaWUEN0wAMceluJNnqv0qni AGmGDY9HHUM=
Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:references:from:autocrypt:subject:message-id:date:user-agent :mime-version:in-reply-to; bh=4ofmjySFZmhSLbQS/jNFtzeZzf+FWP1f7qB4tK1P9Cw=; b=s1h+DCn2G1ZGkMnzPbprPQOnOhaXeqFTMvuuBYnVYx1EqhgbrUntysDZtHpwCC+BPV 83pTtJSYppCIeBtzJr3K8QYF5ueFz7i6Ya63UhhYAKHxM3fbvWbZFE9jDg5OSd9KVBfa bUCIwI9DNpkF7rMnj5DYHECQpI1XjM8pq/fG0XmaJxcy6uc47Gy1nVWnUlGiswzKORFe UkQ/goHd7dqfYuZrWopRl/ZhUQNIYYg1KBifEmQp5HFH5KzxIB2Vf0sUPN4lHUJKNAFE ncy+T4Sp5mAog9P1WMkGYTABlswXt+Vz2tnUSh11itGXYqkxGFH0ZPjYh+UZCHFU8ZdK R4OQ==
Reply-to: brent timothy saner <brent.saner@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0

On 8/11/20 12:49 PM, Rich Freeman wrote:
> On Mon, Aug 10, 2020 at 5:15 PM brent timothy saner

>> Step 1: "I have more trust (as a person/org) in this connection, because
>> it is encrypted and authenticated."
>> Step 2: Flaw/vulnerability in verification or encryption
>> Step 3: "I now trust (as a person/org) this fraudulent connection more
>> than other connections."
>>
>> You've now granted more trust *value* to the compromised connection than
>> to the unencrypted connection.
> 
> Rightly so, because if you have the ability to exploit a vulnerability
> in step 2 with an encrypted connection, you can exploit the same
> vulnerability in an unencrypted connection.
> 

The attack mentions an attack directly on the encryption.

You're referring to the implicated additional attack on the TLS-tunneled
layer underneath (or "inside", more accurately).

The trust value you have placed on this is greater than the trust value
on a plaintext connection. Meaning you have *more* data/access afforded
to it. Which is now accessed, and is less likely to throw alarms because
it wasn't treated with the same level of paranoia, for the lack of a
better word, than the plaintext channel was.

>>> Can somebody execute a MITM attack against an unauthenticated
>>> encrypted connection? Sure.  However, they can't just passively
>>> evesdrop on the connection, which they can do with an unencrypted
>>> connection.
>>
>> Which is my entire point, yes. As mentioned, you now have no option to
>> do that and place your entire trust chain in the hands of an external
>> party, unless you want to install your CA on all machines of your org.
>> Which is certainly a possibility, but the intranet is (should be) lower
>> risk than internet.
> 
> I'm not really sure what you're taking issue with here.
> 
> Is your argument that you don't like the design of web browsers where
> CA trust is an all-or-nothing proposition?  If so I agree with you,
> but that isn't an issue with encryption - it is an issue with how it
> is implemented in a specific context.  Browser encryption is pretty
> terrible - about the only thing that is worse is not using it at all,
> which seems to be what you're advocating for.
> 

I think X.509 is pretty broken as a model, partly for the complete trust
one places in CA trust, and enforcing it as the de facto is going to
lead to some unexpected results.

I'm not advocating for never using it, I'm advocating for nuance -
context, risk assessment, and the like - rather than a blind and blunt
approach with no consideration for foresight.

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] news
  - From: Rich Freeman via plug <plug@lists.phillylinux.org>

References:
- [PLUG] news
  - From: jeff via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: Michael Lazin via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: Rich Freeman via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>
- Re: [PLUG] news
  - From: Rich Freeman via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] news
Next by Date: Re: [PLUG] news
Previous by thread: Re: [PLUG] news
Next by thread: Re: [PLUG] news
Index(es):
- Date
- Thread