M Taylor wrote: > > Stupid question I'm sure, but does TLS's anonymous DH protect against > man-in-the-middle attacks? If so, how? I cannot figure out how it would,
Ah, there's the rub. ADH does not protect against MITM, as far as I am aware. > and it would seem TLS would be wide open to abuse without MITM protection so > I cannot imagine it would be acceptable practice without some form of > security. View A: MITM is extremely rare. It's quite a valid threat model to say that MITM is a possibility that won't need to be defended against, 100%. E.g.1, SSH which successfully defends most online Unix servers, by assuming the first contact is a good contact. E.g.2, PGP, which bounces MITM protection up to a higher layer. Or, what's your threat model? Why does it include MITM and how much do you want to pay? View B: MITM is a real and valid threat, and should be considered. By this motive, ADH is not a recommended mode in TLS, and is also deprecated. Ergo, your threat model must include MITM, and you will pay the cost. (Presumably this logic is behind the decision by the TLS RFC writers to deprecate ADH. Hence, talking about ADH in TLS is a waste of time, which is why I have stopped suggesting that ADH be used to secure browsing, and am concentrating on self-signed certs. Anybody care to comment from the TLS team as to what the posture is?) iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]