Re: [TLS] Asking the browser for a different certificate

Marsh Ray <> Tue, 30 March 2010 01:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A0563A6886 for <>; Mon, 29 Mar 2010 18:22:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.605
X-Spam-Status: No, score=0.605 tagged_above=-999 required=5 tests=[AWL=-0.526, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l04g522g4wE1 for <>; Mon, 29 Mar 2010 18:22:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 558223A63EC for <>; Mon, 29 Mar 2010 18:21:57 -0700 (PDT)
Received: from ([]) by with esmtpa (Exim 4.68) (envelope-from <>) id 1NwQ9x-000IeM-Fs; Tue, 30 Mar 2010 01:22:25 +0000
Received: from [] (localhost []) by (Postfix) with ESMTP id 3E4C660B8; Tue, 30 Mar 2010 01:22:24 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: U2FsdGVkX1/n43Y6RvwaNsKoML2jw5qXMqhQwQuqx1Q=
Message-ID: <>
Date: Mon, 29 Mar 2010 20:22:24 -0500
From: Marsh Ray <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Kyle Hamilton <>
References: <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: TLS Mailing List <>
Subject: Re: [TLS] Asking the browser for a different certificate
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Mar 2010 01:22:14 -0000

On 3/29/2010 6:22 PM, Kyle Hamilton wrote:
> On Mon, Mar 29, 2010 at 1:03 PM, Michael D'Errico <> wrote:
>> Kyle Hamilton wrote:
>>> I thought this was what the ADH ciphers were supposed to handle:
>>> create a private channel, and then authenticate each end of that
>>> channel inside the protection of the ciphered channel.
>> There is no way to know if you've negotiated ADH with an attacker.
> There's no way to know if you've negotiated ADH with an attacker --
> but you've only got one attacker, Mallory.

You can't know that, either.

If there were some way to know this (say IP hop count), you could simply
get a trusted party to "attack" you and thus gain immunity from other

> If you have a whole bunch
> of Eve's out there, who's to say they won't be able to put two and two
> together and pinpoint you for attack even if you haven't connected to
> a Mallory?

This is a somewhat different question.

Yes, the possibility of detection and plausible deniability raise the
stakes for Mallory in the real world. But one of the main purposes of
TLS is to eliminate the possibility of such attacks. Therefore, TLS
itself cannot rely the tiniest little bit on the hope that some other
factor will mitigate mitm.

> There is no way to know that Mallory will not broadcast the fact that
> you connected with him under the pretense of being someone else, but
> if he does that he's admitting to digital fraud and deceit anyway.

Did you know your employer or your cell phone ISP is MITMing your
connections with trusted root certs pre-installed on the client they
gave you? They will of course have very reasonable explanations for why
this makes their network run better. When governments do it, they
needn't offer any explanations.

An interesting test case occurred the other day. It seems China (or the
DNS system itself) accidentally began MITMing and modifying DNS packets
for Chile and some of the US by broadcasting its own

They modified DNS replies for Facebook, Twitter, and YouTube to redirect
them for something. Pakistan did something similar with YouTube's IP
netblock a few years back.

It only took network operators few days to figure out what was going on,
and these events were actually causing outages. Imagine a
narrowly-focused attack which had been tested to work well in advance.
These examples were done remotely with DNS and BGP. If the attacker
actually controls a network link or router, it could be done without
modifying source and dest addresses as seen by either the client or the

> In most cases, I believe that security policies should make it more
> expensive to recover a message than the message is worth -- but not an
> order of magnitude more.  Maybe twice as expensive.  The more CPU time
> used in attacking, the more electricity must be used (many, many watts
> get dissipated as heat), which costs money.  The more sets of eyes
> looking at it, the more costly it becomes.

The defender must succeed every time, but the attacker only needs to
succeed once.

Therefore, strategies involving relative costs or design complexity tend
to favor the attacker as message volume and/or value increases.

- Marsh