Subj : Secure binkp
To   : Al
From : Oli
Date : Mon Nov 25 2019 05:51 pm

On Sun, 24 Nov 2019 14:25:50 -0800
"Al -> Oli" <0@106.4.21> wrote:

 A> He made it sound like TLS was not a solution, and insecure?

 A> I didn't quite follow what he said there.

If I understand it correctly Alexey claims that TLS was weakened on request by
some three letter agency. Of course algorithms with known backdoors were
proposed by someone at some time and the financial industry tried to weaken the
 TLS 1.3 specification [1]. We also know that there are a number of
vulnerabilities in TLS 1.2 and earlier versions.

On the one hand we have TLS 1.3 developed openly over years by the key players
in the industry and experts from the crypto community. On the other hand we
have the statement from Alexey about something something insecure without
pointing to any specific vulnerability.

There is a lot to criticize about Google, Mozilla and Cloudflare, but when it
comes to encryption I think they are doing a pretty good job. The Snowden leaks
 were a wake-up call and many were pissed and angry. Since then there is a
clear determination to encrypt everything as secure as possible. If new
vulnerabilities are discovered, they will be fixed ...

Maybe someone will implement a good alternative to TLS for binkp or a
completely new protocol, but I haven't seen any announcement. Until then TLS
(1.3) could provide strong encryption and is easy to add (the other alternative
 is encryption at the transport layer, like VPN, Tor, i2p, IPsec, ...)


[1] https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-use-it

---
 * Origin:  (21:1/151)

.