Re: [TLS] Asking the browser for a different certificate

[Marsh Ray <marsh@extendedsubset.com>]

On 3/29/2010 6:22 PM, Kyle Hamilton wrote:
> On Mon, Mar 29, 2010 at 1:03 PM, Michael D'Errico <mike-list@pobox.com> wrote:
>> Kyle Hamilton wrote:
>>>
>>> I thought this was what the ADH ciphers were supposed to handle:
>>> create a private channel, and then authenticate each end of that
>>> channel inside the protection of the ciphered channel.
>>
>> There is no way to know if you've negotiated ADH with an attacker.
> 
> There's no way to know if you've negotiated ADH with an attacker --
> but you've only got one attacker, Mallory.

You can't know that, either.

If there were some way to know this (say IP hop count), you could simply
get a trusted party to "attack" you and thus gain immunity from other
attacks.

> If you have a whole bunch
> of Eve's out there, who's to say they won't be able to put two and two
> together and pinpoint you for attack even if you haven't connected to
> a Mallory?

This is a somewhat different question.

Yes, the possibility of detection and plausible deniability raise the
stakes for Mallory in the real world. But one of the main purposes of
TLS is to eliminate the possibility of such attacks. Therefore, TLS
itself cannot rely the tiniest little bit on the hope that some other
factor will mitigate mitm.

> There is no way to know that Mallory will not broadcast the fact that
> you connected with him under the pretense of being someone else, but
> if he does that he's admitting to digital fraud and deceit anyway.

Did you know your employer or your cell phone ISP is MITMing your
connections with trusted root certs pre-installed on the client they
gave you? They will of course have very reasonable explanations for why
this makes their network run better. When governments do it, they
needn't offer any explanations.

An interesting test case occurred the other day. It seems China (or the
DNS system itself) accidentally began MITMing and modifying DNS packets
for Chile and some of the US by broadcasting its own i.root-servers.net.

http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas
https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html

They modified DNS replies for Facebook, Twitter, and YouTube to redirect
them for something. Pakistan did something similar with YouTube's IP
netblock a few years back.

It only took network operators few days to figure out what was going on,
and these events were actually causing outages. Imagine a
narrowly-focused attack which had been tested to work well in advance.
These examples were done remotely with DNS and BGP. If the attacker
actually controls a network link or router, it could be done without
modifying source and dest addresses as seen by either the client or the
server.

> In most cases, I believe that security policies should make it more
> expensive to recover a message than the message is worth -- but not an
> order of magnitude more.  Maybe twice as expensive.  The more CPU time
> used in attacking, the more electricity must be used (many, many watts
> get dissipated as heat), which costs money.  The more sets of eyes
> looking at it, the more costly it becomes.

The defender must succeed every time, but the attacker only needs to
succeed once.

Therefore, strategies involving relative costs or design complexity tend
to favor the attacker as message volume and/or value increases.

- Marsh