On Mon, April 4, 2016 8:50 am, Phil Lello wrote: > On Mon, Apr 4, 2016 at 3:36 PM, Dan Harkins <dhark...@lounge.org> wrote: > >> >> Usually what happens is the server generates a self-signed certificate >> and the apps are given some "username" and "password" and the app >> ignores the unauthenticated nature of the TLS connection and sends >> the u/p credential on through. > > Isn't this use case more of an argument for an updated auth-digest to use > something better than MD5? I'm not convinced MITM is a real concern for a > typical IoT environment (however that's defined - I'm assuming http in a > domestic environment).
First of all, what makes you think it's MD5 digest and not just plaintext? And updated by whom? These are ad hoc constructions done because the alternative is too onerous. As someone who has stolen wi-fi from the apt next door that was protected by a PSK I would say that doing a dictionary attack in a "domestic environment" is entirely plausible. If I have to do a soft AP advertising the neighbor's SSID in order to lure a set-top box or thermostat or whatever to connect to me then that's a very low bar. regard, Dan. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls