[Cryptography] phishing, was Encryption opinion

ianG iang at iang.org
Wed Aug 27 06:02:35 EDT 2014 

On 26/08/2014 22:22 pm, John Levine wrote:
>>> No, the phish site does not communicate with the bank, it merely
>>> impersonates the bank to steal your credentials.  The phish is not a
>>> middle node.  I don't know how to say that any more clearly.
>>
>> So, what then?  The phish then loses the credentials?  It does crossword
>> puzzles with them?
> 
> This might be a good time to consider the possibility that the online
> crime economy is more complex than you imagine it to be.

http://financialcryptography.com/mt/archives/000439.html


> My understanding of the term MITM is that it's a real time attack,
> with the bad guy rewrites the traffic and simultaneously pretends to
> the customer that he's the back, and pretends to the bank that he's
> the customer.


I found a couple of definitions on the net last night, and neither of
them closed the argument.  Here's one from Steve Kent:

      Man-in-the-Middle attack (MITM)
      A form of active wiretapping attack
      in which the attacker intercepts and selectively modifies
      communicated data to masquerade as one or more of the entities
      involved in a communication association.  Masquerading enables the
      MITM to violate the confidentiality and/or the integrity of
      communicated data passing through it.

http://community.roxen.com/developers/idocs/drafts/draft-kent-pervasive-encryption-00.html

[good notes snipped, yes there are many uses for information!]

> PS: This has precious little to do with crypto,


Deciding what to do about MITM at whichever level it occurs, however it
occurs, and whatever label we put on it has everything to do with design
and employment of crypto-security protocols.

IF,

  it turns out that blocking MITM using crypto is possible,
  but introduces user costs which slow adoption, and

  it turns out that low-level protocol MITM isn't much of a
  threat, and

  it turns out that there is an easy attack at the user level,
  far far easier than any in-protocol-MITM,

THEN,

  it might be pointless to load up the user with additional
  costs of defending something that ain't going to be a problem,
  and instead switch those resources to what is a problem.


> other than perhaps
> arguing about the merits of out of band authentication approaches:
> 
> http://obvious.services.net/2013/07/better-have-big-pockets-if-you-want.html


Right.  Because the protocol didn't solve the authentication needs, the
users have to do it themselves.  A mystery!



iang

More information about the cryptography mailing list