-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/01/13 20:02, Daniel Kahn Gillmor wrote: > If i'm understanding things properly, the server's initial > certificate (offered during the first handshake) needs to be > something that the client can use to verify the identity of the > remote server, without the client proving its identity to the > server. As a consequence, even if you manage to encrypt the entire > handshake in something like an anon-DH exchange, it will be > available to anyone making a request. So while an adversary might > not be able to effectively snoop on the specific connection, but > they'll be able to initiate a connection to the server and get the > certificate.
I think your analysis is spot on - sooner or later, a persistent adversary will start handshaking with servers to see what they reveal after the first handshake. But even so, if the implementation burden's not to great, I think it might be worth raising the bar by implementing a double handshake - because as with Tor, there will be some adversaries who are willing to run a simple regex over plaintext traffic but who aren't willing to MITM every TLS handshake or probe every server that receives TLS connections. Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ8dp0AAoJEBEET9GfxSfMggkIAJKFfgpTkPfeWWvGTKtQEN9J YT7o3mGVQO1ym0m73Tj4OVnIp/UkoMj5CFo7H9RL0Vxe5Urrt5mCJ0TFHqdWuaDf NQLtsE6VOrj/jRABbg571SB2FDq5ox86eHUIICCgMdEj0CyBPoq5Hv1lMkYWyksr gofr2UqjBefZnDLbUBpd5vhWxaPtRzdbO8hMTAuCDxrYZKgPyK7n5rFUcxsdz5QY 3LuMBP9isegM1X5+Nxn33ALo7OL7nufo1pkibA5jWrA6c39nv1Pb3+sszGaM6j2r cbwxSIz99T+V0+B9qlbwhqbZbMAO21WRLGlRLi8I1NuT1YcWK6+h/lwYybX/F+I= =ez6A -----END PGP SIGNATURE----- _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
