John Nagle <[email protected]> writes: >As an example, suppose a server sending a page sends, at the beginning of the >page, a hash value which is based on the contents of the page about to be >sent, and also based on the first 64 bytes of the crypto bits of the >connection. The browser checks this. The MITM attacker now has a problem. If >the attacker didn't know about this, the MITM attack immediately sounds an >alarm at the browser. If the attacker does know about this, they can compute >their own hash. But they haven't seen the content the hash covers, because >the page hasn't been transmitted yet.
That's actually really clever, a web-enabled commitment scheme, but one that takes advantage of the master secret to avoid having to use ZKPs and other complications. It's a bit like a flipped version of what some broadcast protocols like TESLA do (based on, AFAIK, Anderson et al's Guy Fawkes protocol, "A New Family of Authentication Protocols") where you send the data and MAC but withhold the key, in your case you send the MAC (with key implicitly shared) but withhold the data. You should post this to e.g. the cryptography list to see what people think... maybe we could call it Nagle's Algorithm... Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
