Comment by tptacek
11 years ago
Without some kind of authentication, the encryption TLS offers provides no meaningful security. It might as well be an elaborate compression scheme. The only "security" derived from unauthenticated TLS presumes that attackers can't see the first few packets of a session. But of course, real attackers trivially see all the the traffic for a session, because they snare attackers with routing, DNS, and layer 2 redirection.
What's especially baffling about self-signed certificate advocacy is the implied threat model. Low- and mid-level network attackers and crime syndicates can't compromise a CA. Every nation state can, of course (so long as the site in question isn't public-key-pinned). But nation states are also uniquely capable of MITMing connections!
>The only "security" derived from unauthenticated TLS presumes that attackers can't see the first few packets of a session
Could you elaborate here? With a self-signed cert, the server is still not sending secret information in the first few packets; it just tells you (without authentication) which public key to use to encrypt the later packets (well, the public key to encrypt the private key for later encryption).
The threat model would be eavesdroppers who can't control the channel, only look. Using the SS cert would be better than an unencrypted connection, though still shouldn't be represented as being as secure as full TLS. As it stands, the server is either forced to wait to get the cert, or serve unencrypted such that all attackers can see.
There are no such attackers.
Do you think that with public key pinning self-signed certs begin to make sense? Also, do you feel that CAs and the PKI system do provide appropriate authentication (this being a cost-benefit rather than a 100%-correctness analysis)?
1 reply →
You're saying that everyone able and willing to passively snoop, is also able and willing to compromise the channel and mimic the server?
2 replies →