SSL, client certs, and MITM (was WYTM?)

Tom Otvos tom.otvos at rogers.com
Wed Oct 22 15:46:23 EDT 2003 

I read the "WYTM" thread with great interest because it dovetailed nicely with some research I am
currently involved in.  But I would like to branch this topic onto something specific, to see what
everyone here thinks.

As far as I can glean, the general consensus in WYTM is that MITM attacks are very low (read:
inconsequential) probability.  Is this *really* true?  I came across this paper last year, at the
SANS reading room:

	http://rr.sans.org/threats/man_in_the_middle.php

I found it both fascinating and disturbing, and I have since confirmed much of what it was
describing.  This leads me to think that an MITM attack is not merely of academic interest but one
that can occur in practice.  With sufficiently simplified tools this type of attack can readily be
launched by "script kiddies" or someone only just slightly higher on the hacker evolutionary scale.

Having said that then, I would like to suggest that one of the really big flaws in the way SSL is
used for HTTP is that the server rarely, if ever, requires client certs.  We all seem to agree that
convincing server certs can be crafted with ease so that a significant portion of the Web population
can be fooled into communicating with a MITM, especially when one takes into account Bruce
Schneier's observations of legitimate uses of server certs (as quoted by Bryce O'Whielacronx).  But
as long as servers do *no* authentication on client certs (to the point of not even asking for
them), then the essential handshaking built into SSL is wasted.

I can think of numerous online examples where requiring client certs would be a good thing: online
banking and stock trading are two examples that immediately leap to mind.  So the question is, why
are client certs not more prevalent?  Is is simply an ease of use thing?  Since the "Internet threat
model" upon which SSL is based makes the assumption that the channel is *not* secure, why is MITM
not taken more seriously?  Why, if SSL is designed to solve a problem that can be solved, namely
securing the channel (and people are content with just that), are not more people jumping up and
down yelling that it is being used incorrectly?

Am I missing something obvious here?  I look forward to any comments you might have.

-- Tom Otvos

"Don't think you are. Know you are." - Morpheus


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list