[Cryptography] Encryption opinion
Bear
bear at sonic.net
Tue Aug 26 18:15:57 EDT 2014
On Tue, 2014-08-26 at 13:12 +0100, ianG wrote:
> On 25/08/2014 22:52 pm, Bear wrote:
> > On Mon, 2014-08-25 at 11:50 +0100, ianG wrote:
> >
> >> Phishing is an MITM.
> >
> > No.
> > MITM is a technical attack taking advantage
> > of protocol weakness. It needs an entirely different means
> > to combat it, and needs to be considered separately.
>
>
> We could try your definition if you like, but the consequences are
> equally ugly, worse even.
MITM is easier to defend against because in order to do it the
attacker must fool both communicants, not just one.
> If MITM is only 'technical' this means that HTTPS only provides
> technical protection. Which is then going to knock out claims of HTTPS
> ensuring you talk to your bank, because it can no longer do that, it's
> not a social or human entity.
HTTPS is laughable. If you have interpreted me as saying
it's adequate, you are dead wrong. It isn't adequate; its
only virtue is that it sucks *VERY SLIGHTLY* less than nothing.
First, you speak truly in saying that it provides only
technical protection. It provides not nearly enough of that
to protect against MITM, and even if it did that would still
be no effective protection against phishing.
HTTPS in fact does not ensure that you talk to your bank.
It ensures only that you are talking to someone who has
some certificate issued by one of the umpty CAs recognized
by your browser, and your browser isn't even going to
bother mentioning it to you if it isn't the same cert (or
the same CA) that your bank uses.
HTTPS also fails to ensure that your bank is talking to you.
It doesn't even ensure to them that they're talking to the
same person who has most recently pretended to be you. It
ensures only that your bank is talking to someone who knows
your password, including both the isochronous phishing attacker
who learned your password without your bank's participation,
and my synchronous MITM attacker who got between us WHILE my
bank and I were both attempting to communicate with each other.
HTTPS is NOT an effective protection against MITM. Furthermore,
MITM is easier, not harder, to address than phishing, and even
if HTTPS were effective protection against MITM it still would
not be an effective protection against phishing.
The only reason real MITM attacks aren't widespread in this
laughable protection regime is that phishing is so damn much
easier for the crooks to do.
There can be no protecting consumers until consumers learn
to manage and reason about keys with their conscious minds.
Efforts to spare them from key management and automate it
for them will lead only to helplessness and incomprehension
in the face of failures.
Bear
More information about the cryptography
mailing list