[Monotone-devel] Re: Transport encryption

monotone-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Monotone-devel] Re: Transport encryption

From:	Bruce Stephens
Subject:	[Monotone-devel] Re: Transport encryption
Date:	Thu, 13 Oct 2005 17:46:06 +0100
User-agent:	Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux)

Ethan Blanton <address@hidden> writes:

[...]

> Unless I'm missing something, using TLS without certificates will
> not give you much security at all ... monotone itself will guarantee
> that there is no man-in-the-middle *changing* your stream, but if
> the encryption isn't authenticated then someone could still be
> *reading* your stream.  In that case, why bother with encryption at
> all.

I think that's right, but that doesn't necessarily rule it out.  As
always, I imagine it depends on your threat model.  If you're worried
about people reading your source using ethereal or something, then an
anonymous cipher would still be valuable.  If you're worried about
MITM, then it wouldn't be useful.

I've never looked at GNU TLS.  Maybe it would be straightforward
enough to change the handshaking to use monotone's existing keys
rather than what it uses now?

Or maybe it's best just to invent something.  That tends not to be
advised, though (it's easy to make a mistake).

[...]

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Monotone-devel] Transport encryption, (continued)

Prev by Date: Re: [Monotone-devel] Compiling from source
Next by Date: Re: [Monotone-devel] rfc on h: selector behavior
Previous by thread: Re: [Monotone-devel] Re: Transport encryption
Next by thread: Re: [Monotone-devel] Transport encryption
Index(es):
- Date
- Thread