anonymous DH & MITM
Steven M. Bellovin
smb at research.att.com
Wed Oct 1 22:22:08 EDT 2003
In message <3F7B6763.96C75690 at systemics.com>, Ian Grigg writes:
>M Taylor wrote:
>
>MITM is a real and valid threat, and should be
>considered. By this motive, ADH is not a recommended
>mode in TLS, and is also deprecated.
>
>Ergo, your threat model must include MITM, and you
>will pay the cost.
>
>(Presumably this logic is behind the decision by the
>TLS RFC writers to deprecate ADH. Hence, talking
>about ADH in TLS is a waste of time, which is why I
>have stopped suggesting that ADH be used to secure
>browsing, and am concentrating on self-signed certs.
>Anybody care to comment from the TLS team as to what
>the posture is?)
What's your threat model? Self-signed certs are no better than ADH
against MITM attacks. Until you understand your threat model, you don't
have any grounds to make that decision.
MITM is certainly possible -- I've seen it happen. The dsniff package
includes a MITM tool, as do many other packages; at the Usenix Security
conference a few years ago, someone intercepted all web-bound traffic
and displayed a page "All your packets are belong to us". Anyone on
the same LAN (switched or unswitched) could have done the same. If
you're not on the same LAN, a routing attack or a DNS attack could
result in the same thing, and those are happening, too, in the wild.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list