The tech and financial industries are butting heads over the latter’s push to intentionally weaken a security protocol that underlies how the public securely accesses the vast majority of the internet.
Critics are charging that the financial industry is pushing for a weakness in the new version of the Transport Layer Security (TLS) protocol, all for the sake of avoiding the time, effort and resources needed to adapt to the new standard.
TLS is a bedrock internet security protocol used to secure everything from web browsing and email to instant messaging, voice, video and the Internet of Things. A new version, known as TLS 1.3, will usher in the largest changes in the protocol’s history.
Contributors are hammering out the details before the update is likely finalized at the March meeting of the Internet Engineering Task Force (IETF), an independent group that designs internet standards. Heading into the meeting, the financial industry is trying — and so far failing — to gain support for a proposal that makes it possible for a third party to passively decrypt and monitor network traffic.
One draft proposal for TLS 1.3 lists an “option for negotiation of visibility in the datacenter.” That proposal is backed by BITS, the technology policy division of the Financial Services Roundtable. The roundtable represents about 100 of the top 150 U.S.-based financial services companies like banks and insurance companies.
The banks’ argument is that they need to be able to decrypt connections in their enterprise networks to comply with regulations, implement data loss protection, detect intrusions and malware, capture packets, and mitigate denial of service attacks.
Opponents say the intentional weakness — the harshest critics call it a “backdoor” — leaves the wider internet in danger of unauthorized decryption. Furthermore, banks have other solutions that are readily available to them that could remedy their concerns, including buying new middle-box equipment or re-architecting their networks.
“The bank industry is pushing the TLS working group to create a decryption option as part of the specification, and of course the tech sector is saying ‘That’s not going to happen,’ ” Janet Jones, a Microsoft senior security program manager, told CyberScoop. “Can you imagine us supporting something that gave an API with a decrypt button? We can’t do that.”
BITS didn’t respond to multiple requests for comment.
Jones told CyberScoop that industry groups with tech giants like Microsoft, Facebook and Google have turned down the proposal. However, the topic will likely come up for debate at the meeting in London, according to co-chair of the IETF’s TLS working group Joseph Salowey.
“We went to the banks and said there are ways to do what you want to do,” said Jones, who is also the vice chair of the tech industry’s Messaging, Malware and Mobile Anti-Abuse Working Group. “But you need to build that appliance on your own. I’m not going to build a decryption feature in. If I did, I might as well quit my job.”
How it all works
In previous versions of TLS, a mode called “static key exchange” established a connection between a client and server, with the client deriving a communication key then encrypting it on the server using the server’s certificate. This led to “non-forward secrecy,” meaning every communication could be retroactively decrypted after the fact with the certificate’s private key.
Non-forward secrecy was possible on the majority of the internet’s traffic until 2013. Then, the revelations from NSA whistleblower Edward Snowden suggested that the spy agency was compromising server keys, recording traffic and decrypting it, thanks in part to non-forward secrecy.
Corporations can do essentially the same thing as what the NSA is accused of doing, the major difference being that the surveillance is on their own networks and data centers.
The resulting privacy firestorm from the Snowden disclosures pushed security developers to embrace forward-secret connections, which would remove the ability to decrypt traffic after it reached its destination. The IETF decided in 2014 that forward secrecy would be baked into the protocol’s update: TLS 1.3 would require a key exchange known as an ephemeral Diffie-Hellman handshake, which means traffic can’t be easily decrypted after being transferred.
Yet, despite the IETF’s work to get rid of non-forward secrecy, the banks want to keep the ability to monitor everything at their whim.
Where have they been?
What makes the issue worse is that banks were late to the process with their proposal. Deprecating the old TLS standards was discussed in 2013, with the forced-secrecy seen as a “basic assumption” of TLS 1.3 as early as 2014. The IETF repeatedly confirmed that decision at in-person meetings as well as in online discussions. The banks’ proposal came in 2016, two years after development initially began.
The financial industry’s extraordinarily late entry to the process was one of several reasons the proposal generated quick and sustained backlash.
“The assertion that [non-forward secrecy] would only ever be used inside a data center, and it’s something the client has to explicitly opt-in to, is not one I find particularly convincing,” said Stephen Checkoway, an Assistant Professor of Computer Science at the University of Illinois at Chicago. “The reason is that the nature of cryptographic and security software means the code to run this will likely spread outside of data centers and a government could, for example, mandate that the option is turned on or block traffic.”
Checkoway added that any inherent weaknesses that get built into systems eventually come back to harm the public, sometimes decades later.
“Creating security protocols is a hard thing to do even when we’re trying to make them as secure as possible,” said Checkoway. “Our best option is to design a protocol that doesn’t have built-in weaknesses which is what they’re trying to introduce.”
The controversy continues
Matthew Green, a prominent cryptographer at Johns Hopkins University, has worked with the banks on a similar proposal because he feared their opposition could cause a general lack of adoption of TLS 1.3. However, that proposal was strongly opposed by critics at a 2017 IETF meeting in Prague that Green described as “very controversial.”
Green believes the banks don’t want to pay to install new equipment and to re-architect their networks in order to gain the visibility they’re looking for, so the industry will start deploying more interception technology under the radar and avoid the IETF entirely if their proposal fails.
“There are a whole bunch of non-transparent and even dangerous ways to hack this capability in,” he said. “The choice the IETF has is: Is it going to be done in a way where we can detect what’s happening or in a way where we can’t tell if a server has this enabled?”
Jones said the banks are now actively lobbying large internet service providers to jump on board and are offering to help with implementation. Microsoft and other tech giants were invited to come to the March IETF meeting to support the proposal. The response has been an emphatic no.
“I said, ‘My gosh, I can’t support that,’” Jones said. “I couldn’t imagine. Maybe way back when we didn’t have customer data in house but now you have cloud services and everybody hosts customer data. We can’t build in a backdoor.”