[Cryptography] phishing, was Encryption opinion

ianG iang at iang.org
Mon Aug 25 18:49:46 EDT 2014 

On 25/08/2014 22:38 pm, John Levine wrote:
>>> Except that the M isn't ITM in the case of phishing.  Phishing is not so
>>> much a Man In The Middle, it's more a Man On The Sidelines That Looks
>>> Very Much Like Bob, or MOTSTLVMLB, but good luck pronouncing that.
>>
>> I don't see the distinction.  The phisher redirects Alice's browser to
>> him.  He then goes to the site and extracts information to perpetuate
>> the deception.  What's not middle here?
> 
> Web phishes rarely do MITM.  It's a site that looks like the real site
> and tells you to log in.  Once you do, it says oops, you mistyped your
> password and perhaps redirects you to the real site.  It's just
> impersonation.


MITM is an abstract term denoting two endpoints and a node in the
middle.  The correct communication goes between the endpoints without
interference.  An MITM interposes a middle node by one means or another
that can see plaintext and pervert intent.

Above, you've met those requirements.

A phish is a teaser mail that includes a URL pretending to be your bank
(eg Bob).  If you (Alice) click on it, you go there instead of your
bank.  You're now talking to the middle, which will then talk to the bank.

What happens after the MITM is successfully launched is outside scope of
the abstractness.  Likewise, how the attacker successfully interposes is
outside the scope of the term;  it could be protocol, it could be UX, it
could be other things.


> There is MITB malware that does interpose itself between the user and
> the real bank, doing impressive things like OCR on images describing
> the transaction which they then rewrite to show the transaction that
> the user thinks he's approving.  But that's not phishing, it's
> something else.


Yeah, phishing is sending out a lot of URLs with deceptive messages to
try and get people to click on the URLs.

> I suspect bank MITM phishes would work poorly these days since banks
> generally track use cookies and IP addresses to notice when a user
> isn't logging in from the normal place.  I was in the Bahamas for a
> meeting a couple of weeks ago, and my bank was extremely sceptical
> that it was me trying to check my balances.


Right.  It's basically up to the websites and individuals to protect
their users from MITMs outside the HTTPS barrier.  It's also up to the
users to protect themselves from other failings...  which gets
exceedingly messy because browser policy and user demand is to provide a
protected or not appearance, no information.



iang

More information about the cryptography mailing list