As TLS 1.3 approaches finalization, one group seeks a decryption backdoor
Encryption backdoors have been in the news quite a bit lately. And not for the right reasons. As politicians and law enforcement officials call for “responsible” encryption, one group close to the finalization of the new TLS 1.3 standard is attempting to make them a reality.
BITS, the technology policy division of the financial services roundtable, which represents over 100 of the top US financial organizations, is pushing a TLS 1.3 proposal that lists an “option for negotiation of visibility in the datacenter.”
Opponents of this proposal call it an intentional weakness. Some even refer to it as a backdoor, the argument being that it leaves the wider internet in danger of unauthorized decryption.
While the banks say that they need the ability to decrypt connections in their enterprise networks in order to stay in compliance with their own regulations, others are quick to point out that there are alternatives to weakening the TLS protocol across the entire internet.
“The bank industry is pushing the TLS working group to create a decryption option as part of the specification, and of course the tech sector is saying ‘That’s not going to happen,’ ” Janet Jones, a Microsoft senior security program manager, told CyberScoop. “Can you imagine us supporting something that gave an API with a decrypt button? We can’t do that.”
TLS 1.3 is currently in the final stages before it becomes an official standard. Currently, the final details are being hammered out before the protocol is likely to be finalized later this month when the Internet Engineering Task Force (IETF) meets.
For those that aren’t regular readers, TLS 1.3 is the next version of the TLS protocol that facilitates encryption on the internet.
The TLS protocol is the successor to the SSL protocol. While colloquially we refer to the technology as SSL, it is actually TLS or Transport Layer Security now. I won’t bore you with a complete version history, but SSL 1.0 and 2.0 never really made it off the ground. SSL 3.0 was quickly replaced by TLS 1.0, then 1.1 and 1.2. The internet is currently stuck between 1.1 and 1.2 as of right now. TLS 1.3 promises better performance than its predecessors as well as a streamlined handshake.
However, all of that would be rendered fairly moot if the financial sector gets its way and a backdoor is included.
“We went to the banks and said there are ways to do what you want to do,” said Jones, who is also the vice chair of the tech industry’s Messaging, Malware and Mobile Anti-Abuse Working Group. “But you need to build that appliance on your own. I’m not going to build a decryption feature in. If I did, I might as well quit my job.”