The monitoring devices have a copy of all private keys, and so can decrypt all that traffic. Late in the TLS 1.3 process, BITS came forward on behalf of these companies and said their members “depend upon the ability to decrypt TLS traffic to implement data loss protection, intrusion detection and prevention, malware detection, packet capture and analysis, and DDoS mitigation.” In other words, BITS members send a copy of all encrypted traffic somewhere else for monitoring. Unfortunately, during the long tenure of TLS 1.2, some companies, mostly banks, came to rely on its specific weaknesses. Nowadays, it just makes plain sense to use forward secrecy for all TLS connections. It’s a product of its time that was produced by a number of factors, like government pressure not to implement stronger algorithms, a cloud of patent-related uncertainty around elliptic curve algorithms, and processor speed in the early 2000’s. The post-facto decryption weakness in TLS 1.2 and earlier versions is now considered a bug. This remarkable property is so valuable for security that the Internet Engineering Task Force (IETF), which develops Internet standards including TLS, decided that TLS 1.3 would only offer algorithms that provide forward secrecy. If enabled, it ensured that intercepted communications couldn’t be retrospectively decrypted, even by someone who later got a copy of the server’s private key. In earlier versions of TLS and SSL, forward secrecy was an optional feature. Knowledge of a given static Diffie-Hellman private key can be used to decrypt all sessions encrypted with that key." This removal invisibly undermines security and has the potential to seriously worsen data breaches. As the ETS / eTLS spec says: "eTLS does not provide per-session forward secrecy. If someone suggests that you should deploy ETS instead of TLS 1.3, they are selling you snake oil and you should run in the other direction as fast as you can.ĮTS removes forward secrecy, a feature that is so widely used and valued in TLS 1.2 that TLS 1.3 made it mandatory. The bad news: Thanks to a financial industry group called BITS, there’s a look-alike protocol brewing called ETS (or eTLS) that intentionally disables important security measures in TLS 1.3. The good news: TLS 1.3 is available, and the protocol, which powers HTTPS and many other encrypted communications, is better and more secure than its predecessors (including SSL).
0 kommentar(er)
