ietf
[Top] [All Lists]

RE: RFC 2195 (Was: what happened to newtrk?)

2006-09-08 08:14:59

From: Ned Freed [mailto:ned(_dot_)freed(_at_)mrochek(_dot_)com] 

The attacker cannot downgrade the server security, 
particularly if the 
server does not support unencrypted IMAP or POP.

I don't think the lack of support for unencrypted IMAP or POP 
is quite sufficient. What's to stop an attacker acting as a 
MITM (by publishing a bogus SRV record or whatever) getting 
an unencypted connection and turning around and connecting to 
the server using encryption?

Hopefully one would deploy DNSSEC.


Either a client key check on the server or the client 
requiring encyption and checking the server cert will address 
this, I believe.

If one has DNSSEC one could also use a DNS distributed key to secure the server 
key.

That avoids the need to have that particular cert issued by a Trusted Third 
Party. 

 
If you deploy DNSSEC the downgrade attack can be eliminated.

That prevents one MITM attack vector, but there may be others.

I have a somewhat larger proposal. I think that it is in fact possible to offer 
a very robust level of security.

The discussion here is missing the point though. Most security schemes fail 
because they are not used and they are not used because the administrative 
configuration process is utterly abysmal. The reason that most WiFi access 
points are not secured has nothing to do with the insecurity of WEP - which is 
fixable.


Fixing security holes is easy. Fixing usability holes is very hard, 
particularly because none of us are psychologists and few of us are likely to 
want to learn about it.

Therefore the security strategy we should be pushing for is going to be one 
that requires the minimum number of user interactions while providing the user 
with the most direct information that allows them to be safe.


We currently have an abysmal security infrastructure in the Internet and this 
is not going to be solved just by everyone deploying IPSEC.

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>