anonymous DH & MITM

Steven M. Bellovin smb at research.att.com
Wed Oct 1 22:22:08 EDT 2003


In message <3F7B6763.96C75690 at systemics.com>, Ian Grigg writes:
>M Taylor wrote:

>
>MITM is a real and valid threat, and should be
>considered.  By this motive, ADH is not a recommended
>mode in TLS, and is also deprecated.
>
>Ergo, your threat model must include MITM, and you
>will pay the cost.
>
>(Presumably this logic is behind the decision by the
>TLS RFC writers to deprecate ADH.  Hence, talking
>about ADH in TLS is a waste of time, which is why I
>have stopped suggesting that ADH be used to secure
>browsing, and am concentrating on self-signed certs.
>Anybody care to comment from the TLS team as to what
>the posture is?)

What's your threat model?  Self-signed certs are no better than ADH 
against MITM attacks.  Until you understand your threat model, you don't
have any grounds to make that decision.

MITM is certainly possible -- I've seen it happen.  The dsniff package 
includes a MITM tool, as do many other packages; at the Usenix Security 
conference a few years ago, someone intercepted all web-bound traffic 
and displayed a page "All your packets are belong to us".  Anyone on 
the same LAN (switched or unswitched) could have done the same.  If 
you're not on the same LAN, a routing attack or a DNS attack could
result in the same thing, and those are happening, too, in the wild.


		--Steve Bellovin, http://www.research.att.com/~smb


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list