SSL, client certs, and MITM (was WYTM?)

Perry E. Metzger perry at piermont.com
Wed Oct 22 19:11:39 EDT 2003 

daw at mozart.cs.berkeley.edu (David Wagner) writes:
> Tom Otvos wrote:
> >As far as I can glean, the general consensus in WYTM is that MITM
> >attacks are very low (read:
> >inconsequential) probability.  Is this *really* true?
> 
> I'm not aware of any such consensus.

I will state that MITM attacks are hardly a myth. They're used by
serious attackers when the underlying protocols permit it, and I've
witnessed them in the field with my own two eyes. Hell, they're even
well enough standardized that I've seen them in use on conference
networks. Some such attacks have been infamous.

MITM attacks are not currently the primary means for stealing credit
card numbers these days both because TLS makes it harder to do MITM
attacks and thus it is usually easier just to break in to the poorly
defended web server and steal the card numbers directly. However, that
is not a reason to remove anti-MITM defenses from TLS -- it is in fact
a reason to think of them as a success.

> I suspect you'd get plenty of debate on this point.
> But in any case, widespread exploitation of a vulnerability
> shouldn't be a prerequisite to deploying countermeasures.

Indeed. Imagine if we waited until airplanes exploded regularly to
design them so they would not explode, or if we had designed our first
suspension bridges by putting up some randomly selected amount of
cabling and seeing if the bridge collapsed. That's not how good
engineering works.

> If we see a plausible future threat and the stakes are high enough,
> it is often prudent to deploy defenses in advance against the
> possibility that attackers.

This is especially true when the marginal cost of the defenses is near
zero. The design cost of the countermeasures was high, but once
designed they can be replicated with no greater expense than that of
any other protocol.

> It's hard to predict with confidence which of the many
> vulnerabilities will be popular among attackers five years from now,
> and I've been very wrong, in both directions, many times.  In
> recognition of our own fallibility at predicting the future, the
> conclusion I draw is that it is a good idea to be conservative.

Ditto.

-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list