On Monday 10 December 2007 1:22 pm, Dave Cridland wrote: > On Mon Dec 10 20:56:17 2007, Justin Karneges wrote: > > Charlie can't MITM attack: > > Alice <--- TLS ---> Charlie <--- TLS ---> Bob > > (Alice initiates TLS, doesn't get Bob, and so she rejects the > > session. The second TLS channel between Charlie and Bob has no > > relevance.) > > Wrong. Bob doesn't know if Alice has checked his certificate or not. > Alice does, but cannot simply tell Bob, because Bob can't trust her > assertion, because Charlie might be there.
With that mindset, you can claim TLS in general is insecure. After all, even if both Alice and Bob present trusted certificates to each other, neither can be sure their identity was checked by the other. *Yawn*. The worst that can happen then is, to quote myself, "Alice might stupidly (or maliciously?) confuse Bob into thinking Charlie is her, by passing her credentials through Charlie even though Charlie is not Bob." It might be cool to for Bob to cryptographically "prove" that Alice is aware that she is talking to him, but does that have much of a practical benefit? If Alice is that stupid or malicious, then she can do far worse things like post her conversations with Bob onto a public website. -Justin
