[Cryptography] Encryption opinion

Bear bear at sonic.net
Tue Aug 26 18:15:57 EDT 2014 

On Tue, 2014-08-26 at 13:12 +0100, ianG wrote:
> On 25/08/2014 22:52 pm, Bear wrote:
> > On Mon, 2014-08-25 at 11:50 +0100, ianG wrote:
> > 
> >> Phishing is an MITM.
> > 
> > No.


> > MITM is a technical attack taking advantage
> > of protocol weakness.  It needs an entirely different means 
> > to combat it, and needs to be considered separately.
> 
> 
> We could try your definition if you like, but the consequences are
> equally ugly, worse even.

MITM is easier to defend against because in order to do it the 
attacker must fool both communicants, not just one.  


> If MITM is only 'technical' this means that HTTPS only provides
> technical protection.  Which is then going to knock out claims of HTTPS
> ensuring you talk to your bank, because it can no longer do that, it's
> not a social or human entity.

HTTPS is laughable. If you have interpreted me as saying 
it's adequate, you are dead wrong.  It isn't adequate; its 
only virtue is that it sucks *VERY SLIGHTLY* less than nothing.

First, you speak truly in saying that it provides only 
technical protection.  It provides not nearly enough of that 
to protect against MITM, and even if it did that would still 
be no effective protection against phishing. 

HTTPS in fact does not ensure that you talk to your bank.
It ensures only that you are talking to someone who has 
some certificate issued by one of the umpty CAs recognized
by your browser, and your browser isn't even going to 
bother mentioning it to you if it isn't the same cert (or 
the same CA) that your bank uses.

HTTPS also fails to ensure that your bank is talking to you. 
It doesn't even ensure to them that they're talking to the 
same person who has most recently pretended to be you.  It 
ensures only that your bank is talking to someone who knows 
your password, including both the isochronous phishing attacker 
who learned your password without your bank's participation,  
and my synchronous MITM attacker who got between us WHILE my 
bank and I were both attempting to communicate with each other.  

HTTPS is NOT an effective protection against MITM.  Furthermore, 
MITM is easier, not harder, to address than phishing, and even 
if HTTPS were effective protection against MITM it still would 
not be an effective protection against phishing.

The only reason real MITM attacks aren't widespread in this 
laughable protection regime is that phishing is so damn much 
easier for the crooks to do.

There can be no protecting consumers until consumers learn 
to manage and reason about keys with their conscious minds.  
Efforts to spare them from key management and automate it 
for them will lead only to helplessness and incomprehension 
in the face of failures.

			Bear

More information about the cryptography mailing list