Who's afraid of Mallory Wolf?
David Wagner
daw at mozart.cs.berkeley.edu
Mon Mar 24 17:02:43 EST 2003
Ian Grigg wrote:
>By common wisdom, SSL is designed to defeat
>the so-called "Man in the Middle" attack, or
>MITM for short.
>
>The question arises, why?
One possible reason: Because DNS is insecure.
If you can spoof DNS, you can mount a MITM attack.
A second possible reason: It's hard to predict
what attacks will become automated. Internet
attacks seem to have an all-or-nothing feel:
either almost noone exploits them, or they get
exploited en masse. The latter ones can be
really painful, if you haven't built in protection
in advance.
You could take your argument even further and
ask whether any crypto was needed at all.
After all, most attacks have worked by compromising
the endpoint, not by sniffing network traffic.
I'll let you decide whether to count this as a
success story for SSL, or as indication that the
crypto wasn't needed in the first place.
(I'm a little skeptical of this argument, by the
way, but hey, if we're playing devil's advocate,
why not aim high?)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list