Re: IAB Statement on Internet Confidentiality from Martin Thomson on 2014-11-18 (ietf-http-wg@w3.org from October to December 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 17 Nov 2014 21:52:03 -0800
To: Jason Greene <jason.greene@redhat.com>
Cc: Roland Zink <roland@zinks.de>, Poul-Henning Kamp <phk@phk.freebsd.dk>, ietf-http-wg@w3.org
Message-ID: <CABkgnnVWze4YVTfgVc-+9DRTgGdG86xmHbySB=g2uDoyvQ_S=w@mail.gmail.com>

On Nov 17, 2014 8:14 AM, "Jason Greene" <jason.greene@redhat.com> wrote:
> Even better would be to support anonymous ECDH. Why bother requiring all
of these fake certs to be generated when they have no legit purpose.

That at least is an easy one to answer. If your handshake looks different
(and any anonymous mode will, unless you use TLS 1.3 and some aggressive
padding), then you open an invitation to MitM. Have them look identical,
and it gets harder to mount an undetectable attack. Not to mention avoiding
code complexity.

Received on Tuesday, 18 November 2014 05:52:30 UTC