anonymous DH & MITM

Ian Grigg iang at systemics.com
Wed Oct 1 23:50:01 EDT 2003 

"Steven M. Bellovin" wrote:
> 
> In message <3F7B6763.96C75690 at systemics.com>, Ian Grigg writes:
> >M Taylor wrote:
> 
> >
> >MITM is a real and valid threat, and should be
> >considered.  By this motive, ADH is not a recommended
> >mode in TLS, and is also deprecated.
> >
> >Ergo, your threat model must include MITM, and you
> >will pay the cost.
> >
> >(Presumably this logic is behind the decision by the
> >TLS RFC writers to deprecate ADH.  Hence, talking
> >about ADH in TLS is a waste of time, which is why I
> >have stopped suggesting that ADH be used to secure
> >browsing, and am concentrating on self-signed certs.
> >Anybody care to comment from the TLS team as to what
> >the posture is?)
> 
> What's your threat model?  Self-signed certs are no better than ADH
> against MITM attacks.

I agree.  As a side note, I think it is probably
a good idea for TLS to deprecate ADH, simply
because self-signed certs are more or less
equivalent, and by unifying the protocol around
certificates, it reduces some amount of complexity
without major loss of functionality.

(AFAIK, self-signed certs in every way dominate
ADH in functional terms.)

> Until you understand your threat model, you don't
> have any grounds to make that decision.

I think we are in agreement on that!?

> MITM is certainly possible -- I've seen it happen.  The dsniff package
> includes a MITM tool, as do many other packages; at the Usenix Security
> conference a few years ago, someone intercepted all web-bound traffic
> and displayed a page "All your packets are belong to us".


An appropriate security model for a security conference
might be to put a sign up at the door saying

    "All your assumptions are belong to us"

At least that way everyone would be in tune with the
nature of the conference.

Anything that happens at the Usenix Security Conference
is, in my book, ruled out of ones regular, commercially
relevant threat model.  Same goes for "demos in a Uni
student lab."

We all know it's possible.  The question is, should we
worry about it?  And, following on from Perry's method,
should we impose our own fears on others?

A threat must occur sufficiently in real use, and incur
sufficient costs in excess of protecting against it, in
order to be included in the threat model on its merits.


> Anyone on
> the same LAN (switched or unswitched) could have done the same.  If
> you're not on the same LAN, a routing attack or a DNS attack could
> result in the same thing, and those are happening, too, in the wild.


I know a couple of instances were posted maybe 6
months back.  What we need really is some sort of
repository of MITM attacks "in the wild."  Costs
would be very useful too.

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list