"Obfuscated TCP" (was Re: [clug] OT: Protesting the proposed clean feed?)

Sunnz sunnzy at gmail.com
Sat Oct 25 07:12:05 GMT 2008

2008/10/23 Daniel Pittman <daniel at rimspace.net>:
>> It uses DH which from what I understand, you can't do a MITM, or can
>> you?
> Absolutely.  The ability to perform a "man in the middle" attack is
> related entirely, absolutely, one hundred percent to having a
> trustworthy proof of identity for the third party.
> Otherwise, you know, you just used the DH exchange to securely verify
> that you were talking to the police data logger -- which isn't exactly
> what you set out to achieve, right?
> That proof of identity generally means you need one of a secure channel
> to pre-exchange identity information, or a trusted third party to vouch
> for the participants.
> In this case, where you have no pre-shared secret, and no trusted third
> party, MITM is trivial: you have no way of verifying that the remote
> host is, in fact, the remote host and not a third party in the middle of
> the exchange.
> Also, in the context of a legally mandated, nation wide system, you can
> assume that DNS is subject to tampering; unless you have suitably strong
> authentication there[2] then you have *no* assurance of, well, anything.

Ah, I see, so you really do need to pre share something to make a
secure authentic connection, such as a preshared CA.

About DNS, would DNSSEC give you strong authentication?

>> Anyway, yea, IPsec or VPN would be more general solution, except, when
>> the ISP do intercept your connection, and use their own certificate,
>> then what are you going to do? If you don't accept it you can't
>> connect to the server you want; if you accept it then you know your
>> connection is being intercepted.
> Knowing that the connection has been intercepted is a significant
> advantage compared to not knowing.

Ok. So say you know that the connection has been intercepted, and your
VPN software wouldn't go further because it can't authenticate the
other side... so what do you do then?

I mean, it is better to know that the connection has been intercepted.
I guess what I am trying to say is, when the packet carrier purposely
intercepting all encrypted traffic, then you are pretty much screwed,
you just can't start a secure connection to anyone without the ISP
inspecting your data... I mean, you can choose not to do anything at
all, but then you won't get your data across... so effectively, the
ISP would be like, "let us peek at your stuff, or we will simply
denial to do our service for you.".
This e-mail may be confidential. You may not copy, forward or use any
part. All disclaimers on the Internet are of zero legal effectiveness
however. http://www.goldmark.org/jeff/stupid-disclaimers/

More information about the linux mailing list