(1) "known weaknesses [citations]" is significantly different
from "we don't like it" or "we assert it is bad" or even "we
don't like things unless they contain several additional
layers". The third of these might be a reasonable statement,
but would require even more justification because...
Times change. Today, using challenge response mechanisms such as
CRAM-MD5 over un-encrypted channels is not much more secure than sending
password in clear text. If a third party can listen to the challenge and
response, and then mount a dictionary attack.
Steve Bellovin was alluding to the "evil twin" attack on wireless
network. Allow me to elaborate.
The technique allows an attacker to lure unsuspecting travelers to
connect to an un-protected wireless network under the attacker control.
Very often, laptops are programmed to fetch pending e-mail as soon as
they connect to a network. The laptop will try resolve
"mail.example.com", and start a POP3 or IMAP exchange. The attacker
controls the DNS service on the wireless network, and will easily spoof
the server. It will then respond to the connection with a CRAM-MD5
challenge, and harvest the e-mail address of the victim as well as the
answer to the challenge. The attacker is now in a position to obtain the
e-mail and password pair for the victim. The attack lasts a few seconds,
and may not require any particular action by the victim.
IETF protocols should not endorse the use of unprotected
challenge-response mechanism. They certainly should not lure clients to
accept challenges from unauthenticated servers.
-- Christian Huitema
Ietf mailing list