SSL, client certs, and MITM (was WYTM?)

Wed Oct 22 22:26:03 EDT 2003

"Perry E. Metzger" <perry at piermont.com> writes:

>TLS is just a pretty straightforward well analyzed protocol for protecting a
>channel -- full stop. It can be used in a wide variety of ways, for a wide
>variety of apps. It happens to allow you to use X.509 certs, but if you
>really hate X.509, define an extension to use SPKI or SSH style certs. TLS
>will accommodate such a thing easily. Indeed, I would encourage you to do
>such a thing.

Actually there's no need to even extend TLS, there's a standard and very
simple technique which is probably best-known from its use in SSH but has been
in use in various other places as well:

1. The first time your server fires up, generate a self-signed cert.

2. When the user connects, have them verify the cert out-of-band via its
   fingerprint.  Even a lower-security simple phrase or something derived from
   the fingerprint is better than nothing.

3. For subsequent connections, warn if the cert fingerprint has changed.

That's currently being used by a number of TLS-using apps, and works at least
as well as any other mechanism.  At a pinch, you can even omit (2) and just
warn if a key that doesn't match the one first encountered is used, that'll
catch everything but an extremely consistent MITM.  Using something like SSH
keys isn't going to give you any magical security that X.509 certs doesn't,
you'll just get something equivalent to the above mechanism.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com