> Actually, encryption can do some good, even in the absence of authentication. > > Even if the remote end is totally unauthenticated, you have at least > guaranteed > that nobody is doing any passive sniffing of the content in transit. You've > at least forced an attacker to mount an active MitM attack, which is both more > challenging and has a higher risk of detection....
I concede. In the vast majority of communications situations, MitM is only a little more difficult than passive sniffing, but in some it does make a difference. In particular, some broadcast mediums make MitM very difficult without detection (radio broadcast, for instance). In addition, if you can guarantee perfect forward secrecy without authentication, at least the attacker must use a MitM attack right then. Offline analysis won't reveal the encrypted content. thanks, tim. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
