[14411] in cryptography@c2.net mail archive
Re: anonymous DH & MITM
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Wed Oct 1 23:07:23 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 2 Oct 2003 14:37:31 +1200
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, mctylr@privacy.nb.ca, tim@dierks.org
Tim Dierks <tim@dierks.org> writes:
>It does not, and most SSL/TLS implementations/installations do not support
>anonymous DH in order to avoid this attack.
Uhh, I think that implementations don't support DH because the de facto
standard is RSA, not because of any concern about MITM (see below). You can
talk to everything using RSA, you can talk to virtually nothing using DH,
therefore...
>Many wish that anon DH was more broadly used as an intermediate security
>level between bare, insecure TCP & authenticated TLS, but this is not common
>at this time.
RSA is already used as anon-DH (via self-signed, snake-oil CA, expired,
invalid, etc etc certs), indicating that MITM isn't much of a concern for most
users.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
