[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Sat, Oct 23, 2004 at 08:10:07AM +1000, Damien Miller wrote:

> People used to say that MITM was irrelevant for SSH too, then Dug Song

MITM is irrelevant in practice. Very few cases of SSL MITM have been
observed. In practice, you can spoof URLs or just social engineer via email.
Or remotely compromise, and sniff passphrases. Or just break
in, and install a keylogger. Or just disappear you, and break your fingers
until you tell. Etc.

> wrote some software and every script-kiddie could do it. That same
> software could, with a basic modification, be used to MITM SSL
> too.

OE threat model is Echelon, not h4x0rs. Tapping a fibre is one thing, sifting
out packets selectively, and piping in altered ones is something which can be
done. In theory. In practice, not so.

MITM is detectable with cached keys/fingerprints.

For everything else there are locked-down VPN tunnels, and armed couriers
handcuffed to their bags.

And now, excuse me, I'm out of this thread.

Eugen* Leitl <a href="http://leitl.org";>leitl</a>
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net

[demime 0.98d removed an attachment of type application/pgp-signature]