[Cryptography] Client certificates as a defense against MITM attacks
Thierry Moreau
thierry.moreau at connotech.com
Mon Mar 17 08:50:33 EDT 2014
On 03/17/14 04:39, Nico Williams wrote:
>
> Now how will you know that the real server sees you as authenticated
> to them and, therefore, that there was no MITM? Well, suppose the
> server is your bank, and you're looking at your bank account balances
> and transaction logs: if you didn't authenticate to your bank but to
> an active attacker then the attacker will have to know an awful lot
> about you for you to realize that they're not your bank. The attacker
> might get to observe your intentions (e.g., move money about), but
> they won't get to change your orders, and you'll eventually recognize
> that something went wrong.
>
> [...]
>
> I.e., protection against MITM using client user certs is not trivial.
>
Indeed it is not trivial. In a self-defense perspective where the client
knows what its private key computations are doing, the above protection
against MITM is focused on the "don't speak to strangers" motto. I.e. as
you indicated, don't provide any sensitive information from any site
before it displays prior personal data in the HTTPS session
authenticated with your private key.
The main challenge is to eradicate the client *certificate* from user
(and security expert as well) mental model and bring the core notion of
client PPKP (Public-Private Kery Pair), while the browser only takes
PKCS12 format.
The IT security community did not need an NSA for this self-inflicted harm.
- Thierry Moreau
More information about the cryptography
mailing list