Ben Smyth <resea...@bensmyth.com> writes: >should we consider PSK-mode authentication weaker than certificate-based >authentication?
No, it's much stronger. With cert-based server auth, a client will connect to anything that has a certificate from any CA anywhere, in other words pretty much anything at all, and declare the connection secure. It's slightly better than anon-DH, but it offers almost no protection against phishing, the most common attack on the web today. The best form of this mixes in cert-based client auth as well, so the client connects to a phishing site that authenticates itself with a CA-issued cert, the client then authenticates with a CA-issued cert, and the result as far as the client is aware is a fully CA-certified cryptographically secured connection to a site that's actually run by the MageCart Syndicate. With PSK a client can only connect to a server that proves knowledge of the shared secret, which immediately kills phishing because the attacker would need to prove knowledge of the credentials they're trying to phish before they can phish them. (Note that this is for web use, for non-web use like SCADA the software typically hardcodes in certificates and keys and will only trust those, which in a sense makes it more PSK than cert-based auth). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
