On Tue, Jul 14, 2015 at 07:30:38PM +0000, Andrei Popov wrote:
> Using anonymous cipher suites for opportunistic connections allows the
> server operator to explicitly enable anonymous connections, and it saves
> bytes on the wire.
Yes, and informs the server that the client is skipping authentication,
which is often useful information on the server end. Is it a common
mistake to suggest that servers should disable anon_DH, that advice
is appropriate for most clients, but is mostly wrong for servers.
Servers might in some cases want to minimize what they present to
clients that connect with anon_DH ciphers, but they can't typically
do that when they preclude the negotiation of anon_DH.
> The downside is of course that the attacker can easily distinguish
> opportunistic clients from server-authenticating ones. Is this a concern
> for the opportunistic TLS community?
A minor concern, but a determined adversary has many ways to figure
out which client/server pairs don't involved server certificate
checks.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
