Skip to main content
banner image
venafi logo

TLS 1.3 Visibility Extension Proposal: Banks Want More Visibility, But So Do Cyber Criminals.

TLS 1.3 Visibility Extension Proposal: Banks Want More Visibility, But So Do Cyber Criminals.

TLS 1.3 Visibility Extension Proposal
March 12, 2018 | David Bisson

Members of the financial industry have proposed a visibility extension that CyberScoop reports would effectively weaken the Transport Layer Security (TLS) 1.3 protocol.

BITS, the technology policy division of the Financial Services Roundtable (FSR), introduced an "Option for Negotiation of Visibility in the Datacenter." A not-for-profit consortium that counts 100 of the largest financial institutions in the United States as members, BITS made the recommendation in response to TLS 1.3 draft conditions that limit "effective and safe operation of… enterprise networks."

Current drafts of TLS 1.3 use ephemeral-mode Diffie-Hellman (DHE) and elliptic-curve Diffie-Hellman (ECDHE) as their primary cryptographic key exchange mechanisms. Those methods, are effective BITS' proposal notes, constituting "in nearly all ways an improvement over the TLS RSA handshake." But they fall short, the Internet-Draft argues, in that they prevent "the use of current enterprise network monitoring tools" like IDS systems.

To address those shortcomings, BITS recommends the creation of a "TLS Visibility Extension." that would allow an authorized party to gain visibility into a TLS 1.3 session. After a TLS client opts in, the server responds by including resources that would enable decryption of the session.

Janet Jones, a Microsoft senior security program manager, thinks such an option is a terrible idea. As she told CyberScoop:

“The bank industry is pushing the TLS working group to create a decryption option as part of the specification, and of course the tech sector is saying 'That’s not going to happen.' Can you imagine us supporting something that gave an API with a decrypt button? We can’t do that. We went to the banks and said there are ways to do what you want to do. But you need to build that appliance on your own. I’m not going to build a decryption feature in. If I did, I might as well quit my job.”

Jones isn't alone in her disapproval. The proposal met with fierce backlash from many in the technical community.

Take Stephen Checkoway's reasoning, for instance. An assistant professor of computer science at the University of Illinois at Chicago, Checkoway sees huge problems with bringing back "static key exchange," something provided by previous TLS versions to allow retroactive decryption of a session using a certificate's private key. His main concern is whether it's possible to limit non-forward secrecy use to just data centers.

"The reason is that the nature of cryptographic and security software means the code to run this will likely spread outside of data centers and a government could, for example, mandate that the option is turned on or block traffic," Checkoway explains. "Creating security protocols is a hard thing to do even when we’re trying to make them as secure as possible. Our best option is to design a protocol that doesn’t have built-in weaknesses which is what they’re trying to introduce."

The TLS Visibility Extension Internet-Draft is set to expire on 2 April 2018. To learn more about the proposal, review its text here.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

https phishing, tls certificate, phishing scam

FBI Warns Users about Phishing Campaigns that Leverage HTTPS Websites

About the author

David Bisson
David Bisson

David Bisson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat