Thanks Allison - tcpcrypt looks interesting, but the following couple of sentences make me a little uneasy:
By default Tcpcrypt is vulnerable to active attacks—an attacker can, for example, modify a server's response to say that Tcpcrypt is not supported (when in fact it is) so that all subsequent traffic will be clear text and can thus be eavesdropped on. Tcpcrypt, however, is powerful enough to stop active attacks, too, if the application using it performs authentication. For example, if you log in to online banking using a password and the connection is over Tcpcrypt, it is possible to use that shared secret between you and the bank (i.e., the password) to authenticate that you are actually speaking to the bank and not some active (man-in-the-middle) attacker. I don't think they can have it both ways. Either they have a secure, non PKI-based (see their earlier dismissal of PKI on the same web page) authentication mechanism, or they are vulnerable to man-in-the-middle attacks of both kinds: simple ones which say the server doesn't support tcpcrypt, and advanced ones which interpose a tcpcrypt-capable server between you and the bank… Needs a bit more investigation before I'd trust it... Yrs., Robin Robin Wilton Technical Outreach Director - Identity and Privacy Internet Society email: [email protected] Phone: +44 705 005 2931 Twitter: @futureidentity On 11 Dec 2012, at 16:38, Allison Mankin wrote: > > Another non-onerous encryption approach I'm finding quite compelling: > tcpcrypt (tcpcrypt.org). > > On Tue, Dec 11, 2012 at 6:14 AM, Fred Baker (fred) <[email protected]> wrote: > I think there are in fact ways to have encryption that are not onerous to > users. Secure HTTP encrypts, although having a standard certificate given > everybody is not the most "private" way to do things. Diffie-Helman encrypts > without user involvement. If we put our thinking caps on, I suspect we could > find a way to encrypt that isn't onerous. > > _______________________________________________ > ietf-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ietf-privacy
_______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
