[messaging] The Simple Thing

Moxie Marlinspike moxie at thoughtcrime.org
Fri Oct 3 10:54:37 PDT 2014

On 10/02/2014 06:33 AM, David Leon Gil wrote:
> CT makes detecting key changes symmetric between the parties that intend
> to communicate.
> Traditional TOFU gives MitMs a *choice* of who to target. This makes
> things easier for adversaries in a lot of common situations. (E.g.,
> impersonate the MBA to the crypto guy, or the crypto guy to the MBA?)

I don't see where the symmetry comes from.  In a scenario where only one
party knows what a key is and has decided to opt into key change
notifications, I believe an intercept is possible in either world?

I think the only difference between the two worlds is whether what you
*send* or what you *receive* can be intercepted, and whether you're
notified in real time (before the MITM is successful) or after the fact
(after the MITM is successful).

I think the point of both worlds is really just that the person doing
the intercept is taking a risk, since they won't know whether the
participants have opted into key change notifications or not.  But in
neither world can a participant really "prove" anything to anyone else
if the attacker takes the risk and bets wrong.

- moxie


More information about the Messaging mailing list