[Cryptography] Client certificates as a defense against MITM attacks

Guido Witmond guido at witmond.nl
Sun Mar 16 15:56:05 EDT 2014

On 03/16/14 14:56, Jerry Leichter wrote:

> So let's expand the model a bit.  Imagine clients have certs, too,
> and that servers know their client's certs.  If, once an SSL
> connection was established, the client sent a message, signed with
> its own cert, saying "This is the SSL hash of the CA that signed the
> cert I used for you and the session key I'm using to talk to you",
> the server could immediately detect any MITM attack.  We can think
> about what to do from there, but fundamentally if it's concerned
> about its user's security, it must shut the connection down.

Fail fast, no questions asked, no user overrides. Let's not make that
old mistake again.

> An attacker could still completely impersonate a site; and a site
> might be compelled to consider the connection OK anyway; or the
> client's cert might be tampered with.  But any of these is much more
> intrusive and visible than simply tapping in, and doing stuff on the
> client side requires a hugely larger scale of operation.

With DNSSEC and DANE, an attacker needs to impersonate ICANN's DNSSEC
Root key as well. This certainly limits the number of players that can
impersonate your site to two: NSA, NSA's friends.

> This doesn't solve the "first connection between a pair of parties
> neither of whom has any way of identifying the other".  

Again, DNSSEC and DANE do identify the server.

For client, the site can set up their own client certificate signer for
their own use.

Just improve browser support a bit, but that's left as an excersi.....

Regards, Guido.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140316/05ee6e1e/attachment.pgp>

More information about the cryptography mailing list