[Cryptography] phishing, was Encryption opinion
ianG
iang at iang.org
Tue Aug 26 08:02:40 EDT 2014
On 26/08/2014 05:48 am, John Levine wrote:
>>> Web phishes rarely do MITM. It's a site that looks like the real site
>>> and tells you to log in. Once you do, it says oops, you mistyped your
>>> password and perhaps redirects you to the real site. It's just
>>> impersonation.
>>
>> MITM is an abstract term denoting two endpoints and a node in the
>> middle. The correct communication goes between the endpoints without
>> interference. An MITM interposes a middle node by one means or another
>> that can see plaintext and pervert intent.
>>
>> Above, you've met those requirements.
>
> No, the phish site does not communicate with the bank, it merely
> impersonates the bank to steal your credentials. The phish is not a
> middle node. I don't know how to say that any more clearly.
So, what then? The phish then loses the credentials? It does crossword
puzzles with them?
Clearly, the phish site uses the information found on the bank site,
captures the user's credentials, then hands the credentials over to
another agent (site? human?) who then contacts the bank.
Crystal? It is to the attacker.
>> A phish is a teaser mail that includes a URL pretending to be your bank
>> (eg Bob). If you (Alice) click on it, you go there instead of your
>> bank. You're now talking to the middle, which will then talk to the bank.
>
> Once again, that's not what phishes do.
If you mean, these days, they do more, for sure.
iang
More information about the cryptography
mailing list