[Cryptography] phishing, was Encryption opinion
David Mercer
radix42 at gmail.com
Tue Aug 26 17:36:58 EDT 2014
On Tue, Aug 26, 2014 at 2:45 AM, James A. Donald <jamesd at echeque.com> wrote:
> On 2014-08-26 14:48, John Levine wrote:
>
>> Web phishes rarely do MITM. It's a site that looks like the real site
>>>> and tells you to log in. Once you do, it says oops, you mistyped your
>>>> password and perhaps redirects you to the real site. It's just
>>>> impersonation.
>>>>
>>>
>>> MITM is an abstract term denoting two endpoints and a node in the
>>> middle. The correct communication goes between the endpoints without
>>> interference. An MITM interposes a middle node by one means or another
>>> that can see plaintext and pervert intent.
>>>
>>> Above, you've met those requirements.
>>>
>>
>> No, the phish site does not communicate with the bank, it merely
>> impersonates the bank to steal your credentials. The phish is not a
>> middle node. I don't know how to say that any more clearly.
>>
>
> Phishing:
>
> Alice intends to submit her password to Bob. Instead she submits it to
> Mallory, who submits it to Bob.
>
> Sure sounds like Mallory is in the middle.
Stop, you're both right. Really simplistic low end phishing attempts don't
do anything other than capture your credentials, and may or may not
redirect you to where you thought you were after getting them. High end,
more sophisticated ones do a full, live MITM and proxy between you and the
bank, while mimicking the UI.
-David Mercer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140826/75fdb4e0/attachment.html>
More information about the cryptography
mailing list