[Cryptography] Encryption opinion

Paul Ferguson fergdawgster at mykolab.com
Tue Aug 26 21:38:39 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 8/26/2014 6:29 PM, ianG wrote:

> On 26/08/2014 23:29 pm, Paul Ferguson wrote:
>>> On 8/26/2014 3:15 PM, Bear wrote:
>>> 
>>>>> HTTPS is NOT an effective protection against MITM.
>>>>> Furthermore, MITM is easier, not harder, to address than
>>>>> phishing, and even if HTTPS were effective protection
>>>>> against MITM it still would not be an effective protection
>>>>> against phishing.
>>> 
>>> The real "in the middle" threat these days is
>>> credential-stealing Man-in-the-Browser (MitB) malware, such as
>>> most modern day banking Trojans (ZeuS, et al).
>>> 
>>> This is truly "in the middle" insofar as the attacker is
>>> actively and surreptitiously part of the end-to-end session.
> 
> It's curious that you say that.  In MITM there are the two end
> nodes and a node in the middle.  When MITB takes over Alice's node,
> he isn't in the middle anymore, he's Alice's node.


Okay, so you got me on a technicality. :-)


So I figured I would bring that up, especially since I see the IETF
security area completely disconnected from reality with regards to
security operations.

I used to be -- back in the inglorious 90's, when I was a cisco
engineer -- very active in the IETF. Even have my name attached to a
couple of RFCs, BCP38 being the most recognizable. I stopped
participating in the IETF around ~1999-2000 when I started working on
security issues "full time" after realizing that most of the IETF
constabulary had no real idea of what "security" on the Internet
actually involved from an operations perspective.

Encryption does not security make.

Sure, encryption is a good thing, when designed & implemented
correctly, but if the end systems are compromised (Welcome to my
world!) then you are simply provide a secure transit mechanism for
criminals to conduct their... crimes, given that they have control of
the end system with "great security".

It's a Tao thing. :-)

- - ferg


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iF4EAREIAAYFAlP9Np8ACgkQKJasdVTchbIuQwD+PKpX9+INlb5NMxX12cl01tm3
goi/AnvEHsAwF3H+rJcBAK1H0zlRR6antSumvKy8hK8WqYZz/pJAU8yHu8T4oEwN
=SDes
-----END PGP SIGNATURE-----

More information about the cryptography mailing list