[14409] in cryptography@c2.net mail archive
Re: anonymous DH & MITM
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Oct 1 22:29:52 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@research.att.com>
To: iang@systemics.com
Cc: M Taylor <mctylr@privacy.nb.ca>,
Cryptography list <cryptography@metzdowd.com>
In-Reply-To: Your message of "Wed, 01 Oct 2003 19:46:43 EDT."
<3F7B6763.96C75690@systemics.com>
Date: Wed, 01 Oct 2003 22:22:08 -0400
In message <3F7B6763.96C75690@systemics.com>, Ian Grigg writes:
>M Taylor wrote:
>
>MITM is a real and valid threat, and should be
>considered. By this motive, ADH is not a recommended
>mode in TLS, and is also deprecated.
>
>Ergo, your threat model must include MITM, and you
>will pay the cost.
>
>(Presumably this logic is behind the decision by the
>TLS RFC writers to deprecate ADH. Hence, talking
>about ADH in TLS is a waste of time, which is why I
>have stopped suggesting that ADH be used to secure
>browsing, and am concentrating on self-signed certs.
>Anybody care to comment from the TLS team as to what
>the posture is?)
What's your threat model? Self-signed certs are no better than ADH
against MITM attacks. Until you understand your threat model, you don't
have any grounds to make that decision.
MITM is certainly possible -- I've seen it happen. The dsniff package
includes a MITM tool, as do many other packages; at the Usenix Security
conference a few years ago, someone intercepted all web-bound traffic
and displayed a page "All your packets are belong to us". Anyone on
the same LAN (switched or unswitched) could have done the same. If
you're not on the same LAN, a routing attack or a DNS attack could
result in the same thing, and those are happening, too, in the wild.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
