anonymous DH & MITM
Ian Grigg
iang at systemics.com
Wed Oct 1 19:46:43 EDT 2003
M Taylor wrote:
>
> Stupid question I'm sure, but does TLS's anonymous DH protect against
> man-in-the-middle attacks? If so, how? I cannot figure out how it would,
Ah, there's the rub. ADH does not protect against
MITM, as far as I am aware.
> and it would seem TLS would be wide open to abuse without MITM protection so
> I cannot imagine it would be acceptable practice without some form of
> security.
View A:
MITM is extremely rare. It's quite a valid threat
model to say that MITM is a possibility that won't
need to be defended against, 100%.
E.g.1, SSH which successfully defends most online
Unix servers, by assuming the first contact is a
good contact. E.g.2, PGP, which bounces MITM
protection up to a higher layer.
Or, what's your threat model? Why does it include
MITM and how much do you want to pay?
View B:
MITM is a real and valid threat, and should be
considered. By this motive, ADH is not a recommended
mode in TLS, and is also deprecated.
Ergo, your threat model must include MITM, and you
will pay the cost.
(Presumably this logic is behind the decision by the
TLS RFC writers to deprecate ADH. Hence, talking
about ADH in TLS is a waste of time, which is why I
have stopped suggesting that ADH be used to secure
browsing, and am concentrating on self-signed certs.
Anybody care to comment from the TLS team as to what
the posture is?)
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list