[Wikimedia-l] Disinformation regarding perfect forward secrecy for HTTPS

[Marc A. Pelletier]

On 08/02/2013 05:50 PM, Matthew Flaschen wrote:
> It seems from the context "better tested" meant something like "people
> are using this in practice in real environments", not only automated
> testing.

And, indeed, given the constraints and objectives of the Tool Labs
(i.e.: no secrecy, all open source and data, high reliability), the more
important concern is "tested to be robust"; I'd deviate from
distribution packaging in the case where a security issue could lead to
escalation, but concerns about data leaks are not an issue.

And whilst I am not a cryptography expert (depending, I suppose, how to
define "expert") I happen to be very well versed in security protocol
design and zero-information analysis (but lack the math acument for
cryptography proper so I have to trust the Blums and Shamirs of this
world at their word).

For what concerns us here in traffic analysis, TLS is almost entirely
worthless *on its own*.  It is a necessary step, and has a great number
of /other/ benefits that justify its deployment without having anything
to do with the NSA's snooping.  I was not making an argument against it.

What I /am/ saying, OTOH, is that random padding without (at least)
pipelining and placards *is* worthless to protect against traffic
analysis since any reliable method to do it would be necessarily robust
against deviation in size.  Given that it has a cost to implement and
maintain, and consumes resources, it would be counterproductive to do
that.  It would give false reassurance of higher security without
actually bringing any security benefit.  I.e.: theatre.

-- Marc