[Cryptography] phishing, was Encryption opinion
ianG
iang at iang.org
Wed Aug 27 06:02:35 EDT 2014
On 26/08/2014 22:22 pm, John Levine wrote:
>>> No, the phish site does not communicate with the bank, it merely
>>> impersonates the bank to steal your credentials. The phish is not a
>>> middle node. I don't know how to say that any more clearly.
>>
>> So, what then? The phish then loses the credentials? It does crossword
>> puzzles with them?
>
> This might be a good time to consider the possibility that the online
> crime economy is more complex than you imagine it to be.
http://financialcryptography.com/mt/archives/000439.html
> My understanding of the term MITM is that it's a real time attack,
> with the bad guy rewrites the traffic and simultaneously pretends to
> the customer that he's the back, and pretends to the bank that he's
> the customer.
I found a couple of definitions on the net last night, and neither of
them closed the argument. Here's one from Steve Kent:
Man-in-the-Middle attack (MITM)
A form of active wiretapping attack
in which the attacker intercepts and selectively modifies
communicated data to masquerade as one or more of the entities
involved in a communication association. Masquerading enables the
MITM to violate the confidentiality and/or the integrity of
communicated data passing through it.
http://community.roxen.com/developers/idocs/drafts/draft-kent-pervasive-encryption-00.html
[good notes snipped, yes there are many uses for information!]
> PS: This has precious little to do with crypto,
Deciding what to do about MITM at whichever level it occurs, however it
occurs, and whatever label we put on it has everything to do with design
and employment of crypto-security protocols.
IF,
it turns out that blocking MITM using crypto is possible,
but introduces user costs which slow adoption, and
it turns out that low-level protocol MITM isn't much of a
threat, and
it turns out that there is an easy attack at the user level,
far far easier than any in-protocol-MITM,
THEN,
it might be pointless to load up the user with additional
costs of defending something that ain't going to be a problem,
and instead switch those resources to what is a problem.
> other than perhaps
> arguing about the merits of out of band authentication approaches:
>
> http://obvious.services.net/2013/07/better-have-big-pockets-if-you-want.html
Right. Because the protocol didn't solve the authentication needs, the
users have to do it themselves. A mystery!
iang
More information about the cryptography
mailing list