anonymous DH & MITM
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Oct 1 22:37:31 EDT 2003
Tim Dierks <tim at dierks.org> writes:
>It does not, and most SSL/TLS implementations/installations do not support
>anonymous DH in order to avoid this attack.
Uhh, I think that implementations don't support DH because the de facto
standard is RSA, not because of any concern about MITM (see below). You can
talk to everything using RSA, you can talk to virtually nothing using DH,
therefore...
>Many wish that anon DH was more broadly used as an intermediate security
>level between bare, insecure TCP & authenticated TLS, but this is not common
>at this time.
RSA is already used as anon-DH (via self-signed, snake-oil CA, expired,
invalid, etc etc certs), indicating that MITM isn't much of a concern for most
users.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list