Re: [TLS] Ideas for TLS 1.3: Server key continuity and certificate reporting

[Kai Engert <kaie@kuix.de>]

On Mo, 2014-01-13 at 16:44 +0100, Kai Engert wrote: 
> I believe your point is, it doesn't matter which pysical connectivity
> option a client uses to connect to the Internet - because the adversary
> doesn't need to manipulate connections close to the victim, but rather
> could enforce that MITM remains always active for a particular client.
> 
> I agree, for state level attackers who can manipulate the Internet
> backbone, this could block the ability of a victim to report a falsely
> issued certificate to the real server.
> 
> Question is, is the quantum server really sufficiently reliable enough
> to be active at all times, no expections? For each victim, a onetime
> glitch or downtime would be sufficient to get the false certificate
> reported.

Replying to myself, a few additional comments on that:

If a powerful adversary used QUANTUM* to implement MITM widely, for many
clients, using a falsely issued certificate, the adversary risks
detection. For example, I have proposed the http://detector.io project,
where I encourage all operators of TLS servers to monitor their own
server for an unexpected certificate, by connecting from elsewhere, for
example, by making use of the capabilities of the existing Tor network.

The ideas presented in this particular mailing list thread focus on the
idea that most MITM attacks wouldn't be executed broadly, because of the
high risk of detecting the falsely issued certificate. Rather, I focus
on targetted attacks, which involve only clients of a very small subset
of the network.

When targetting only a small subset of a network with MTIM, I think it's
likely that eventually the client will be able to connect around that
network, either caused by a roaming client, or by a temporary downtime
of the MITM attack, which would be sufficient for reporting the false
certificate as I'm proposing here.

Kai