[messaging] The Simple Thing
Moxie Marlinspike
moxie at thoughtcrime.org
Fri Oct 3 10:54:37 PDT 2014
On 10/02/2014 06:33 AM, David Leon Gil wrote:
>
> CT makes detecting key changes symmetric between the parties that intend
> to communicate.
>
> Traditional TOFU gives MitMs a *choice* of who to target. This makes
> things easier for adversaries in a lot of common situations. (E.g.,
> impersonate the MBA to the crypto guy, or the crypto guy to the MBA?)
I don't see where the symmetry comes from. In a scenario where only one
party knows what a key is and has decided to opt into key change
notifications, I believe an intercept is possible in either world?
I think the only difference between the two worlds is whether what you
*send* or what you *receive* can be intercepted, and whether you're
notified in real time (before the MITM is successful) or after the fact
(after the MITM is successful).
I think the point of both worlds is really just that the person doing
the intercept is taking a risk, since they won't know whether the
participants have opted into key change notifications or not. But in
neither world can a participant really "prove" anything to anyone else
if the attacker takes the risk and bets wrong.
- moxie
--
http://www.thoughtcrime.org
More information about the Messaging
mailing list