[Cryptography] Client certificates as a defense against MITM attacks

Thierry Moreau thierry.moreau at connotech.com
Mon Mar 17 08:50:33 EDT 2014

On 03/17/14 04:39, Nico Williams wrote:
> Now how will you know that the real server sees you as authenticated
> to them and, therefore, that there was no MITM?  Well, suppose the
> server is your bank, and you're looking at your bank account balances
> and transaction logs: if you didn't authenticate to your bank but to
> an active attacker then the attacker will have to know an awful lot
> about you for you to realize that they're not your bank.  The attacker
> might get to observe your intentions (e.g., move money about), but
> they won't get to change your orders, and you'll eventually recognize
> that something went wrong.
> [...]
> I.e., protection against MITM using client user certs is not trivial.

Indeed it is not trivial. In a self-defense perspective where the client 
knows what its private key computations are doing, the above protection 
against MITM is focused on the "don't speak to strangers" motto. I.e. as 
you indicated, don't provide any sensitive information from any site 
before it displays prior personal data in the HTTPS session 
authenticated with your private key.

The main challenge is to eradicate the client *certificate* from user 
(and security expert as well) mental model and bring the core notion of 
client PPKP (Public-Private Kery Pair), while the browser only takes 
PKCS12 format.

The IT security community did not need an NSA for this self-inflicted harm.

- Thierry Moreau

More information about the cryptography mailing list