Re: would a key-less responder make better security

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

Vadim Fedukovich <vf@xxxxxxxxx> writes:
 
>both attack types mentioned have an established business so to say: one can
>try own the host or try to get host effectively down. Both results in an
>asset of some sort. One should expect there will be man-in-the-middle if it
>could result in something better that just demonstration.

The difference between a simple [0] attack on the two types of responder is
that if someone DOSes my responder, I can report it to the RP as a potential
problem and they can fall back to a secondary mechanism, e.g.make decisions
based on a floor-limit mechanism, use another channel for checking, refuse to
do anything until things are back to normal, or whatever, depending on what
the accepted practice is in their industry.  If someone replays "Everything's
OK" messages, I have no idea that there's a problem.  Allowing cached
responses is therefore "better" only in the sense that the RP is made
oblivious to the fact that someone's attacking them.  This seems to be a very
odd definition of "better"... it's a bit like anaesthetising someone so they
don't notice a mugger beating them over the head with a baseball bat in order
to steal their money.

Peter.

[0] Meaning something other than some haxor 0wning your server, in which case
    all bets are off no matter what model you're using.