[Cryptography] Moving forward on improving HTTP's security
Bear
bear at sonic.net
Sat Nov 23 20:30:52 EST 2013
On Sat, 2013-11-23 at 10:14 -0500, John Kelsey wrote:
> NSA is a good model for the attacker, but there are a lot of attackers that aren't NSA, ranging from nosy neighbors to local cops to criminals to foreign governments to big companies and their ethics-free contractors. Moving to TLS everywhere will make eavesdropping harder across the board, and will be more effective the more we apply additional defenses against mitm attacks.
I am particularly concerned about foreign governments, especially
those in developed nations where chips and consumer electronics
are fabricated. After all, if the NSA is an example of what
intelligence agencies are doing, then we may assume that it is not
the only such example, nor likely even the one with the most
comprehensive program of surveillence. Nor is anyone else likely
to limit themselves to so called "Metadata," even though Metadata
is equivalent to long-term close surveillence in a way that the
texts of our mails are not and if anything even more of an invasion
of privacy.
As long as we leave the infrastructure capable of being suborned,
we will not know who nor how many are reading everyone's mail or
collecting information files on every human being in the world.
Bruce Schneier posted the other day about detected MITM attacks,
some of them quite large-scale and others quite closely targeted,
that have been diverting http and mail traffic by suborning DNS.
I first learned of such an attack over 20 years ago when a
local foaming-at-the-mouth you're-all-going-to-hell style
minister used it against a local government official, whose
mail to her husband (with whom she was having marital problems)
he then reprinted and faxed to thousands of people under the
headline "Jezebellian Whore!"
That was 20 years ago. Why hasn't it been fixed by now?? Why
is this attack still possible, if the entire world hasn't been
derelict in their duty, wilfully complicit, or asleep at the wheel?
Bear
More information about the cryptography
mailing list