Skip to main content
banner image
venafi logo

TLS 1.3 Visibility Extension Proposal: Banks Want More Visibility, But So Do Cyber Criminals.

TLS 1.3 Visibility Extension Proposal: Banks Want More Visibility, But So Do Cyber Criminals.

TLS 1.3 Visibility Extension Proposal
March 12, 2018 | David Bisson

Members of the financial industry have proposed a visibility extension that CyberScoop reports would effectively weaken the Transport Layer Security (TLS) 1.3 protocol.

BITS, the technology policy division of the Financial Services Roundtable (FSR), introduced an "Option for Negotiation of Visibility in the Datacenter." A not-for-profit consortium that counts 100 of the largest financial institutions in the United States as members, BITS made the recommendation in response to TLS 1.3 draft conditions that limit "effective and safe operation of… enterprise networks."

Current drafts of TLS 1.3 use ephemeral-mode Diffie-Hellman (DHE) and elliptic-curve Diffie-Hellman (ECDHE) as their primary cryptographic key exchange mechanisms. Those methods, are effective BITS' proposal notes, constituting "in nearly all ways an improvement over the TLS RSA handshake." But they fall short, the Internet-Draft argues, in that they prevent "the use of current enterprise network monitoring tools" like IDS systems.

To address those shortcomings, BITS recommends the creation of a "TLS Visibility Extension." that would allow an authorized party to gain visibility into a TLS 1.3 session. After a TLS client opts in, the server responds by including resources that would enable decryption of the session.

Janet Jones, a Microsoft senior security program manager, thinks such an option is a terrible idea. As she told CyberScoop:

“The bank industry is pushing the TLS working group to create a decryption option as part of the specification, and of course the tech sector is saying 'That’s not going to happen.' Can you imagine us supporting something that gave an API with a decrypt button? We can’t do that. We went to the banks and said there are ways to do what you want to do. But you need to build that appliance on your own. I’m not going to build a decryption feature in. If I did, I might as well quit my job.”

Jones isn't alone in her disapproval. The proposal met with fierce backlash from many in the technical community.

Take Stephen Checkoway's reasoning, for instance. An assistant professor of computer science at the University of Illinois at Chicago, Checkoway sees huge problems with bringing back "static key exchange," something provided by previous TLS versions to allow retroactive decryption of a session using a certificate's private key. His main concern is whether it's possible to limit non-forward secrecy use to just data centers.

"The reason is that the nature of cryptographic and security software means the code to run this will likely spread outside of data centers and a government could, for example, mandate that the option is turned on or block traffic," Checkoway explains. "Creating security protocols is a hard thing to do even when we’re trying to make them as secure as possible. Our best option is to design a protocol that doesn’t have built-in weaknesses which is what they’re trying to introduce."

The TLS Visibility Extension Internet-Draft is set to expire on 2 April 2018. To learn more about the proposal, review its text here.

Related posts

Like this blog? We think you will love this.
Featured Blog

What Are SSL Stripping Attacks?

A bit of history The creator of SSL strip vulnerability is Moxie Marlinspike, a well-kn

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more