Using ANON ciphers (No certificates required/used) while establishing connection and later using the username/password for authentication considered secure communication?
Are there any flaws in it, like 'Man In The Middle' (MITM) attacks possible?
Asked
Active
Viewed 120 times
1
-
How do you perform key exchange between client/server with this protocol? – Dan Landberg May 16 '17 at 16:35
-
@user52472 I don't perform any key exchange. – Venkata Raju May 16 '17 at 16:40
-
2How do the client/server get the keys to encrypt/decrypt data? – Dan Landberg May 16 '17 at 16:44
-
@user52472 Is it mandatory to provide keys while using ANON ciphers? – Venkata Raju May 16 '17 at 16:56
-
Ok, nevermind. I misunderstood your original question. I will add my answer below. Why are you considering anonymous ciphers instead of standard SSL? – Dan Landberg May 16 '17 at 17:00
1 Answers
1
A large portion of the value of SSL/TLS is the validation of the authenticity of the application you are communicating with. Yes, a MITM attack is possible in the scenario you describe. See this other SE answer for more information.
Dan Landberg
- 3,312
- 12
- 17