Tim Dierks <[EMAIL PROTECTED]> writes: >It does not, and most SSL/TLS implementations/installations do not support >anonymous DH in order to avoid this attack.
Uhh, I think that implementations don't support DH because the de facto standard is RSA, not because of any concern about MITM (see below). You can talk to everything using RSA, you can talk to virtually nothing using DH, therefore...
Sure, although it's a chicken & egg thing: it's not the standard because the initial adopters & designers of SSL didn't have any use for it (not to mention the political strength of RSADSI in the era).
>Many wish that anon DH was more broadly used as an intermediate security >level between bare, insecure TCP & authenticated TLS, but this is not common >at this time.
RSA is already used as anon-DH (via self-signed, snake-oil CA, expired, invalid, etc etc certs), indicating that MITM isn't much of a concern for most users.
There are so many different categories of users that it's probably impossible to make any blanket statements about "most users". It's certainly true that a web e-commerce vendor doesn't have much use for self-signed certificates, since she knows that dialogs popping up warning customers that they have some problem they don't understand is going to lead to the loss of some small fraction of sales. (Not that she necessarily has any concern about the security implications: it's almost entirely a customer comfort and UI issue.)
- Tim
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
