Re: [TLS] Asking the browser for a different certificate
Marsh Ray <marsh@extendedsubset.com> Tue, 30 March 2010 01:22 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A0563A6886 for <tls@core3.amsl.com>; Mon, 29 Mar 2010 18:22:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.605
X-Spam-Level:
X-Spam-Status: No, score=0.605 tagged_above=-999 required=5 tests=[AWL=-0.526, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l04g522g4wE1 for <tls@core3.amsl.com>; Mon, 29 Mar 2010 18:22:00 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 558223A63EC for <tls@ietf.org>; Mon, 29 Mar 2010 18:21:57 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NwQ9x-000IeM-Fs; Tue, 30 Mar 2010 01:22:25 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 3E4C660B8; Tue, 30 Mar 2010 01:22:24 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/n43Y6RvwaNsKoML2jw5qXMqhQwQuqx1Q=
Message-ID: <4BB15250.6080306@extendedsubset.com>
Date: Mon, 29 Mar 2010 20:22:24 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Kyle Hamilton <aerowolf@gmail.com>
References: <4BAE396B.9090104@extendedsubset.com> <201003291745.o2THjKgr017986@fs4113.wdf.sap.corp> <6b9359641003291236t4e7bd0c6ycc5c5a435f38f3cf@mail.gmail.com> <4BB1077D.4030506@pobox.com> <6b9359641003291622y4310e1f2p18301fde231701c8@mail.gmail.com>
In-Reply-To: <6b9359641003291622y4310e1f2p18301fde231701c8@mail.gmail.com>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] Asking the browser for a different certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2010 01:22:14 -0000
On 3/29/2010 6:22 PM, Kyle Hamilton wrote: > On Mon, Mar 29, 2010 at 1:03 PM, Michael D'Errico <mike-list@pobox.com> wrote: >> Kyle Hamilton wrote: >>> >>> I thought this was what the ADH ciphers were supposed to handle: >>> create a private channel, and then authenticate each end of that >>> channel inside the protection of the ciphered channel. >> >> There is no way to know if you've negotiated ADH with an attacker. > > There's no way to know if you've negotiated ADH with an attacker -- > but you've only got one attacker, Mallory. You can't know that, either. If there were some way to know this (say IP hop count), you could simply get a trusted party to "attack" you and thus gain immunity from other attacks. > If you have a whole bunch > of Eve's out there, who's to say they won't be able to put two and two > together and pinpoint you for attack even if you haven't connected to > a Mallory? This is a somewhat different question. Yes, the possibility of detection and plausible deniability raise the stakes for Mallory in the real world. But one of the main purposes of TLS is to eliminate the possibility of such attacks. Therefore, TLS itself cannot rely the tiniest little bit on the hope that some other factor will mitigate mitm. > There is no way to know that Mallory will not broadcast the fact that > you connected with him under the pretense of being someone else, but > if he does that he's admitting to digital fraud and deceit anyway. Did you know your employer or your cell phone ISP is MITMing your connections with trusted root certs pre-installed on the client they gave you? They will of course have very reasonable explanations for why this makes their network run better. When governments do it, they needn't offer any explanations. An interesting test case occurred the other day. It seems China (or the DNS system itself) accidentally began MITMing and modifying DNS packets for Chile and some of the US by broadcasting its own i.root-servers.net. http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html They modified DNS replies for Facebook, Twitter, and YouTube to redirect them for something. Pakistan did something similar with YouTube's IP netblock a few years back. It only took network operators few days to figure out what was going on, and these events were actually causing outages. Imagine a narrowly-focused attack which had been tested to work well in advance. These examples were done remotely with DNS and BGP. If the attacker actually controls a network link or router, it could be done without modifying source and dest addresses as seen by either the client or the server. > In most cases, I believe that security policies should make it more > expensive to recover a message than the message is worth -- but not an > order of magnitude more. Maybe twice as expensive. The more CPU time > used in attacking, the more electricity must be used (many, many watts > get dissipated as heat), which costs money. The more sets of eyes > looking at it, the more costly it becomes. The defender must succeed every time, but the attacker only needs to succeed once. Therefore, strategies involving relative costs or design complexity tend to favor the attacker as message volume and/or value increases. - Marsh
- Re: [TLS] Asking the browser for a different cert… Story Henry
- [TLS] Asking the browser for a different certific… Story Henry
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Wan-Teh Chang
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Michael D'Errico
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Dale Gustafson
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Bruno Harbulot
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray