Re: authenticating peers

2010-05-29 Thread Barry Skidmore
Answer: Never trust any data that you did not generate yourself and are 100% certain it is bug free. Meaning: Don't process it at all ever until you run sanity checks against it. Trust is an entirely different animal. Thanks, Barry On May 29, 2010, at 4:42 PM, Michael Ash wrote: On Sat

Re: authenticating peers

2010-05-29 Thread Michael Ash
On Sat, May 29, 2010 at 3:04 PM, Jens Alfke wrote: > This is rapidly heading off-topic, but: > On May 29, 2010, at 4:15 AM, Michael Ash wrote: > >> Man-in-the-middle: if I execute the attack the first time you talk to >> a given peer, you have no way of detecting me. > > This is avoided using an o

Re: authenticating peers

2010-05-29 Thread Jens Alfke
This is rapidly heading off-topic, but: On May 29, 2010, at 4:15 AM, Michael Ash wrote: > Man-in-the-middle: if I execute the attack the first time you talk to > a given peer, you have no way of detecting me. This is avoided using an out-of-band exchange of a secret over a trusted channel (dire

Re: authenticating peers

2010-05-29 Thread Michael Ash
On Fri, May 28, 2010 at 10:34 PM, Jens Alfke wrote: > > On May 28, 2010, at 6:59 PM, Michael Ash wrote: > >> An attacker can execute a man-in-the-middle attack... >> An attacker can simply impersonate your app... >> Neither of these can be defended against, even theoretically, when >> communicati

Re: authenticating peers

2010-05-28 Thread Jens Alfke
On May 28, 2010, at 6:59 PM, Michael Ash wrote: > An attacker can execute a man-in-the-middle attack... > An attacker can simply impersonate your app... > Neither of these can be defended against, even theoretically, when > communicating peer-to-peer. Not true; if you use SSL or some equivalent