[Cryptography] Encryption opinion
Stephan Neuhaus
stephan.neuhaus at tik.ee.ethz.ch
Mon Aug 25 07:32:41 EDT 2014
On 2014-08-25, 12:50, ianG wrote:
> Phishing is an MITM.
Except that the M isn't ITM in the case of phishing. Phishing is not so
much a Man In The Middle, it's more a Man On The Sidelines That Looks
Very Much Like Bob, or MOTSTLVMLB, but good luck pronouncing that.
> So it turns out that HTTPS protects against a class of MITMs, not all
> MITMs. As the easiest MITM is outside HTTPS, what is the point of
> protecting MITMs at all?
Not sure if sarcastic or serious, but HTTPS isn't useless just because
it doesn't protect against phishing.
> What it distracts from is: protecting the user.
We're very much on the same page here.
> And, do you think that if they browsers had said "we must eradicate
> phishing!" they would have succeeded? Of course the would.
I'm not sure. It's very hard (at least NOW it's very hard) to come up
with a way to tell users that a site is probably a phishing site without
confusing them even more than they already are.
> I don't understand how they did it, but they managed to forget the user.
> Entirely. Industry-wide cognitive dissonance allowed everyone from
> IETF to vendor to CA to audit to proceed happily without addressing
> phishing [0]. How do you explain that?
Again, I'm on the same page as you, so I'm not going to "explain that"
:-) In my original post I merely pointed out that crypto won't stop Eve
from dressing up as Bob while still showing credentials that say
correctly that she's Eve.
Fun,
Stephan
More information about the cryptography
mailing list