[Cryptography] self-MITMing my own TLS connection ...
Adam Gibson
ekaggata at gmail.com
Thu Feb 26 04:30:41 EST 2015
On 02/18/2015 12:10 AM, Albert Puigsech Galicia wrote:
>
>
> 2015-02-17 20:25 GMT+01:00 Adam Gibson <ekaggata at gmail.com
> <mailto:ekaggata at gmail.com>>:
>
>
>
> On 02/17/2015 02:04 PM, ianG wrote:
>> Interesting case study of where the market for MITMs is going...
>>
>>
>>
>> https://tlsnotary.org/
>>
>
> Hi Ian, I wonder what you mean by 'self-MITM' here? TLSNotary
> doesn't use MITM (I'm sure you understood that but just for
> clarification). Do you have any comments on the soundness of the
> scheme?
>
> Regards, Adam Gibson
>
>
>
> There is a MITM but it's not in the connection/network. I think
> that's the reason he call it 'self-MITM'.
>
>
There really isn't.
The distinction is precisely that the auditor does not need to be
trusted to not tamper with the client-server data because he cannot
read it nor intercept it and modify it. So it is not MITM in any sense.
The auditor only gets the data after the connection is shut down, and
only if the auditee chooses to show it.
If I'm being pedantic (not sure that I am to be honest), it's only
because that is the whole point of tlsnotary; to avoid using MITM
which has a horrible trust model.
More information about the cryptography
mailing list