anonymous DH & MITM
Tim Dierks
tim at dierks.org
Wed Oct 1 22:49:44 EDT 2003
At 10:37 PM 10/1/2003, Peter Gutmann wrote:
>Tim Dierks <tim at dierks.org> writes:
> >It does not, and most SSL/TLS implementations/installations do not support
> >anonymous DH in order to avoid this attack.
>
>Uhh, I think that implementations don't support DH because the de facto
>standard is RSA, not because of any concern about MITM (see below). You can
>talk to everything using RSA, you can talk to virtually nothing using DH,
>therefore...
Sure, although it's a chicken & egg thing: it's not the standard because
the initial adopters & designers of SSL didn't have any use for it (not to
mention the political strength of RSADSI in the era).
> >Many wish that anon DH was more broadly used as an intermediate security
> >level between bare, insecure TCP & authenticated TLS, but this is not common
> >at this time.
>
>RSA is already used as anon-DH (via self-signed, snake-oil CA, expired,
>invalid, etc etc certs), indicating that MITM isn't much of a concern for most
>users.
There are so many different categories of users that it's probably
impossible to make any blanket statements about "most users". It's
certainly true that a web e-commerce vendor doesn't have much use for
self-signed certificates, since she knows that dialogs popping up warning
customers that they have some problem they don't understand is going to
lead to the loss of some small fraction of sales. (Not that she necessarily
has any concern about the security implications: it's almost entirely a
customer comfort and UI issue.)
- Tim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list