[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SMTP TLS, SMTP AUTH, POP TLS -a plea
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: SMTP TLS, SMTP AUTH, POP TLS -a plea
- From: Eugen Leitl <eugen_(_at_)_leitl_(_dot_)_org>
- Date: Sat, 23 Oct 2004 10:41:45 +0200
On Sat, Oct 23, 2004 at 08:10:07AM +1000, Damien Miller wrote:
> People used to say that MITM was irrelevant for SSH too, then Dug Song
MITM is irrelevant in practice. Very few cases of SSL MITM have been
observed. In practice, you can spoof URLs or just social engineer via email.
Or remotely compromise, and sniff passphrases. Or just break
in, and install a keylogger. Or just disappear you, and break your fingers
until you tell. Etc.
> wrote some software and every script-kiddie could do it. That same
> software could, with a basic modification, be used to MITM SSL
OE threat model is Echelon, not h4x0rs. Tapping a fibre is one thing, sifting
out packets selectively, and piping in altered ones is something which can be
done. In theory. In practice, not so.
MITM is detectable with cached keys/fingerprints.
For everything else there are locked-down VPN tunnels, and armed couriers
handcuffed to their bags.
And now, excuse me, I'm out of this thread.
Eugen* Leitl <a href="http://leitl.org">leitl</a>
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 0.98d removed an attachment of type application/pgp-signature]