The Electronic Frontier Foundation is warning of an alternative to the TLS 1.3 security protocol. This alternative, was called ETS or eTLS, works around forward secrecy features in TLS to enable the post-facto decryption of TLS-encrypted traffic.
A consortium primarily backed by banks and financial institutions do not like that TLS 1.3 is secure and cannot be intercepted. This protects people using the internet from common vulnerabilities and malware.
The IETF worked with the EFF to asset its rights as owner of the TLS and prevent a small group of lobbyist using ETSI. ETSI has a strong emphasis on generating revenue from standards and self-interest in promoting such as standard.
I oppose ETS, ETSI and the financial lobby group who intend to damage internet security just to avoid some costs around their internal IT security practice.
Things to think about:
- When HTTPS TLS 1.3 standard process was happening in the IETF, the decision was to make the HTTPS protocol secure. There would be no back doors that could silently break into the user privacy.
- This aligns with policy of human rights of IETF and ISOC.
- This ensures that 99.990% of internet users would be better protected, safer and the internet would fulfil its goal of being a platform for everyone.
- Sure, G-MAFIA have dominated what happens above the network but not because the internet is insecure.
- At the last moment of TLS 1.3 standards, a group of big financials turned up and started a campaign to prevent TLS 1.3 from being secure. This groups sometimes calls itself BITS.
- Some businesses have requirements to monitor what employees and workers are doing.
- There are two ways for organisations to monitor and log: .
- Use the network to capture data and analyse it
- Control the endpoints and log everything done on endpoints
- We know that endpoints like MS Windows are not very good, and difficult to keep reliable when monitoring software is installed. But that’s not a reason to make insecure network protocols.
- ‘Users as workers’ do not like having the monitoring right in the front of them. Its all much more convenient to network, and certainly more cost effective.
- Now they have taken their problems to another standard body, in this case ETSI, and attempted to define a standard
Is my understanding ETSI is a for-profit organisation, based in France and does not operate as a truly independent, open, transparent organisation. Its goal is to create standards that can be sold or to generate services sales for a select group of people. This model was popular for telcos in the 1990’s who wanted to create their own products and implementation.
Publishing this standard requires little work and would generate revenue for ETSI.
This wouldn’t necessarily create demand for implementation. The financial lobbyist group BITS would need to convince vendors to develop code to support the protocols used by just a handful of endpoints. Why would browser vendor write code to support this limited used protocol even if ETSI claimed that it was their standard ?
Link: ETS Isn’t TLS and You Shouldn’t Use It | Electronic Frontier Foundation – https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-use-it