On Jul 23, 2017, at 12:05 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> wrote: > I think there's no way the connection can be established if the third party > in control of the network does not allow that.
This is why it’s hard to reason well about this stuff—we tend to get the threat models wrong. The attack that negotiating enables is not that a third party can block all connections. They can always block all connections. What the attack enables is blocking only those connections that don’t negotiate a downgrade. So if you negotiate a downgrade, you get to look at your content, but if you don’t negotiate the downgrade, you don’t. This allows a MiTM to coerce end users into negotiating downgrades. Of course the far end can just not downgrade, but it may have downgrading enabled either for debugging purposes, never intending that all connections be downgraded, or because the operator didn’t configure the server correctly. If it’s not in the standard, it can still be enabled by operators who are violating the end user’s trust, but won’t happen by accident and won’t be possible to coerce with a MiTM attack.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
