On 11/18/14, 5:06 PM, Jason Greene wrote:
>> On Nov 17, 2014, at 11:52 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
>>
>>
>> On Nov 17, 2014 8:14 AM, "Jason Greene" <jason.greene@redhat.com> wrote:
>>> Even better would be to support anonymous ECDH. Why bother requiring all of these fake certs to be generated when they have no legit purpose.
>> That at least is an easy one to answer. If your handshake looks different (and any anonymous mode will, unless you use TLS 1.3 and some aggressive padding), then you open an invitation to MitM. Have them look identical, and it gets harder to mount an undetectable attack. Not to mention avoiding code complexity.
> Thats pretty small advantage. Self signed certs are easily detected and decoded by anyone in a position to MITM.
Yes. In fact, someone who works at a pretty large vendor stood up at
the Zürich interim meeting and said that his product was doing just this.
>
> Anyway I thought the point was to replace plain text communication where possible, and that requires addressing the non-authenticated case, which this IAB statement even refrerences.
>
Yes. If anything, this group has led in efforts to use as much
encryption as possible. The big question before you is really whether
you agree with the concerns that PHB and Will Chen have separately
raised, about whether anonymous encryption would cause people to not
deploy The Real Thing. My crystal ball tells me that this is less of a
concern than any interoperability problems we might see due to poor
crypto algorithm agility. That is something that we as a community need
to work on (and not just the browser folk).
Eliot