[Cryptography] Client certificates as a defense against MITM attacks

[Jerry Leichter]

On Mar 16, 2014, at 3:56 PM, Guido Witmond <guido at witmond.nl> wrote:
>> So let's expand the model a bit.  Imagine clients have certs, too,
>> and that servers know their client's certs.  If, once an SSL
>> connection was established, the client sent a message, signed with
>> its own cert, saying "This is the SSL hash of the CA that signed the
>> cert I used for you and the session key I'm using to talk to you",
>> the server could immediately detect any MITM attack.  We can think
>> about what to do from there, but fundamentally if it's concerned
>> about its user's security, it must shut the connection down.
> Fail fast, no questions asked, no user overrides. Let's not make that
> old mistake again.
In this algorithm, it's not just a mistake to avoid - it's absolutely fundamental.  The client and server can be sure that the client's message, if it arrives at the server, will only be accepted by the server it if was unmodified in transit.  And both can be sure that if the included information is found to be valid by the server, then no MITM attack is taking place and further secure communication is possible.  But if the server either doesn't receive, or can't validate, this client message, no further conclusions will be possible.  In particular, if the server tries to inform the client of the problem, it has no reason to believe the client will receive that message unmolested.  The only message it can, in some sense, send securely is a link shutdown.  That leaves the MITM in a position where to avoid that message getting through to the client, it must successfully imitate the server.  If it could do that, it wouldn't have had to use a MITM attack.
                                                        -- Jerry