Re: [TLS] Asking the browser for a different certificate
Kyle Hamilton <aerowolf@gmail.com> Mon, 29 March 2010 23:22 UTC
Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0AC963A6A91 for <tls@core3.amsl.com>; Mon, 29 Mar 2010 16:22:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.131
X-Spam-Level: *
X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j0bfj4NBvgmS for <tls@core3.amsl.com>; Mon, 29 Mar 2010 16:22:17 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 196923A6A81 for <tls@ietf.org>; Mon, 29 Mar 2010 16:22:17 -0700 (PDT)
Received: by mail-gw0-f44.google.com with SMTP id 23so3606451gwj.31 for <tls@ietf.org>; Mon, 29 Mar 2010 16:22:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=KRGwXMySQQTORrrfM9+PTXzYuPtCBxOJzIqcMElJXFc=; b=iJIi6rEORLUvyFxubzT1nSfgUMddvzNTIqzqZFFGKRKNP+VVpiBifAREglzoPJMJd9 b2naj+ToCTXw+cddIH/jy9XEmvzJ/RAKu0G3JdMWwk6GljwdpydEYhICwDqqiz9afWFY KLN/W0kKmA8/9jW5MGzLoymmmYSZfmEQRZ0As=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=bzJ7uuELqMJey8yDczdtpAn1anbTvYh61DZ9SgzLIU0TUWecoRGO9b5nhlwGHCQkMx SQhtZpZmSgjEH5/G3z1diyAZz3owfNqDbLAI8FBXPi52CKqoBvvkYV7dHrV6RoxI/dB5 zUOFj+3VU+RWKYmo9hKomp6rt8aJ2HlM2iUCU=
MIME-Version: 1.0
Received: by 10.231.167.3 with HTTP; Mon, 29 Mar 2010 16:22:45 -0700 (PDT)
In-Reply-To: <4BB1077D.4030506@pobox.com>
References: <4BAE396B.9090104@extendedsubset.com> <201003291745.o2THjKgr017986@fs4113.wdf.sap.corp> <6b9359641003291236t4e7bd0c6ycc5c5a435f38f3cf@mail.gmail.com> <4BB1077D.4030506@pobox.com>
Date: Mon, 29 Mar 2010 16:22:45 -0700
Received: by 10.101.128.35 with SMTP id f35mr8128732ann.74.1269904965681; Mon, 29 Mar 2010 16:22:45 -0700 (PDT)
Message-ID: <6b9359641003291622y4310e1f2p18301fde231701c8@mail.gmail.com>
From: Kyle Hamilton <aerowolf@gmail.com>
To: Michael D'Errico <mike-list@pobox.com>
Content-Type: text/plain; charset="UTF-8"
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] Asking the browser for a different certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2010 23:22:18 -0000
On Mon, Mar 29, 2010 at 1:03 PM, Michael D'Errico <mike-list@pobox.com> wrote: > Kyle Hamilton wrote: >> >> I thought this was what the ADH ciphers were supposed to handle: >> create a private channel, and then authenticate each end of that >> channel inside the protection of the ciphered channel. > > There is no way to know if you've negotiated ADH with an attacker. There's no way to know if you've negotiated ADH with an attacker -- but you've only got one attacker, Mallory. If you have a whole bunch of Eve's out there, who's to say they won't be able to put two and two together and pinpoint you for attack even if you haven't connected to a Mallory? There is no way to know that Mallory will not broadcast the fact that you connected with him under the pretense of being someone else, but if he does that he's admitting to digital fraud and deceit anyway. In most cases, I believe that security policies should make it more expensive to recover a message than the message is worth -- but not an order of magnitude more. Maybe twice as expensive. The more CPU time used in attacking, the more electricity must be used (many, many watts get dissipated as heat), which costs money. The more sets of eyes looking at it, the more costly it becomes. -Kyle H
- Re: [TLS] Asking the browser for a different cert… Story Henry
- [TLS] Asking the browser for a different certific… Story Henry
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Wan-Teh Chang
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Michael D'Errico
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Dale Gustafson
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Bruno Harbulot
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray