[Cryptography] Encryption opinion
Bear
bear at sonic.net
Mon Aug 25 17:52:33 EDT 2014
On Mon, 2014-08-25 at 11:50 +0100, ianG wrote:
> Phishing is an MITM.
No.
Please don't muddy technical terms. We need the precision
your argument would destroy here if we're going to have a
meaningful technical discussion. Once we start confusing
one thing with another the discussion ceases to be precise
and all-too-easily ceases to address what we intend to
address.
Phishing is a social attack taking advantage of human
confusion. We can combat it by creating UI's that reduce
human confusion. MITM is a technical attack taking advantage
of protocol weakness. It needs an entirely different means
to combat it, and needs to be considered separately.
This is not to say that phishing is unimportant; it is just
as important as MITM and needs just as much to be addressed.
But addressing it does not affect and is not affected by
the need to address MITM and conflating the terms in any way
is counterproductive.
MITM is precise; if your bank is not trying to communicate
with you, and the phisher is not intercepting the bank's
communication in flight, then a phisher pretending to be
your bank is not engaging in an MITM.
MITM is by nature three-sided. There is you, your correspondent,
and the adversary is someone between you in the communications
channel. If you don't have all three, then you don't have
MITM.
Bear
More information about the cryptography
mailing list