Tuesday, 26 February 2019

A finance industry group is pushing an intentionally broken cryptography "standard" called ETS

ETS was originally called "Enterprise TLS," implying that it was an "enterprise-grade" version of TLS, the system used to secure internet sessions (if you visit a URL that starts with "https://", it's being protected with TLS).

But BITS, a finance industry group, was forced to change the name to ETS after loud objections from the Internet Engineering Task Force.

That's because ETS intentionally weakens TLS, disabling "forward secrecy," an amazing cryptographic tool that makes intercepted connections secure against decryption, even against someone who later gains access to the server's private key.

Forward secrecy is standard in all kinds of cryptographic security, and is part of TLS 1.3, the latest version of the protocol. But BITS objected to this, saying that the inability to sneakily decrypt secure communications would interfere with its ability to "implement data loss protection, intrusion detection and prevention, malware detection, packet capture and analysis, and DDoS mitigation" -- basically, BITS wanted to preserve the ability of companies to provide their private keys to third-parties who monitored all their traffic.

As the Electronic Frontier Foundation's Jacob Hoffman-Andrews writes, "there’s a real harm that comes from weakening a critical protocol to provide easier in-datacenter monitoring for a small handful of organizations." The IETF rejected the idea of disabling forward secrecy, even in limited ways.

Since being turned down at the IETF, BITS has been attempting to standardize ETS at a lesser standards body, ETSI, where they initially called the project "ETLS," but, as noted, were forced to change this to ETS.

TLS is used to secure everything that runs over the web, including things like firmware patches for power-plants, vehicles and medical implants. Intentionally introducing weaknesses into it isn't just nuts, it's an act of monumental recklessness bordering on criminality.

After much discussion, IETF decided not to standardize this modest proposal. Its risks were too great. So BITS took it to another standards organization, ETSI, which was more willing to play ball. ETSI has been working on its weakened variant since 2017, and in October 2018 released a document calling their proposal eTLS. They even submitted public comment asking NIST to delay publication of new guidelines on using TLS 1.3 and recommend eTLS instead.

Meanwhile, the IETF caught wind of this and strenuously objected to the misleading use of the name TLS in “eTLS:” “Our foremost concern remains the use of a name that implies the aegis of Transport Layer Security (TLS), a well-known protocol which has been developed by the IETF for over twenty years.” ETSI backed down, and the next revision of their weakened variant will be called “ETS” instead. Instead of thinking of this as “Enterprise Transport Security,” which the creators say the acronym stands for, you should think of it as “Extra Terrible Security.”

Internet security as a whole is greatly improved by forward secrecy. It’s indefensible to make it worse in the name of protecting a few banks from having to update their legacy decrypt systems. Decryption makes networks less secure, and anyone who tells you differently is selling something (probably a decryption middlebox). Don’t use ETS, don’t implement it, and don’t standardize it.

ETS Isn't TLS and You Shouldn't Use It [Jacob Hoffman-Andrews/EFF Deeplinks]