<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 22/04/2025 01:41, Ron Garret wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DA3CDC2A-F29D-4675-97A1-7D3A0D727653@flownet.com">
<pre wrap="" class="moz-quote-pre">
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">On Apr 21, 2025, at 2:38 PM, iang via cryptography <a class="moz-txt-link-rfc2396E" href="mailto:cryptography@metzdowd.com"><cryptography@metzdowd.com></a> wrote:
On 20/04/2025 18:13, Kent Borg wrote:
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">I thought I saw someone here shrugging off the risk of MitM attacks. Be careful.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
'twas me, heretic in chief.
The issue here is that SSL was brought in (from v1 to v2) because of the claim that MITMs would eat our lunch. That was an unevidenced claim, and since then, there has been no evidence that the MITM attack justifies that level of defence.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
But that's because the defense is in place. It's plausible that the reason we're not seeing MITM attacks is because the defense is effective.</pre>
</blockquote>
<p><br>
</p>
<p>Entirely plausible, as is the alternate argument - it's not
happening because it's not economic. The question is, where's the
evidence that tells it is one or the other?<br>
</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:DA3CDC2A-F29D-4675-97A1-7D3A0D727653@flownet.com">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">I'm not saying it does or doesn't - I'm saying we don't know.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
That's kind of like saying that until you actually try jumping off the Eiffel Tower you can't know for certain whether or not you will plummet to your death, and so until someone actually does this experiment the guard rails are useless.</pre>
</blockquote>
<p><br>
</p>
<p>Well, no, it's not like that at all. We have heaps of evidence of
people jumping and dying, it's a known phenomena and happens all
the time.</p>
<p>It's more like saying, we know that knives are sharp, and they
can be used to kill people. So do we impose rules on who can have
sharp knives? Obviously, if we impose these rules, then ...
proponents of the rules will say "Look! they're obviously working!
Less people are being killed."</p>
<p><span style="white-space: pre-wrap">
</span><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:DA3CDC2A-F29D-4675-97A1-7D3A0D727653@flownet.com">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">An awful lot of users connect via wifi, and, as flawed as the
certificate system is, it makes it hard for random evil hotspots to
pretend to be your bank or your e-mail. If we were back at plain http
these attacks would be a big problem. The system does work…to the extent
it works.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
Which is (1) the evidence-free assertion. Are we protecting ourselves against a rainbow unicorn attack? It matters less if the defence works than if rainbow unicorns actually do attack.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
But you don't have to posit rainbow unicorns. All you need is a script kiddie with a Raspberry Pi, and those are not mythical creatures. It seems pretty implausible that no one would attempt MITM attacks if it were possible to conduct them with low effort and low risk.</pre>
</blockquote>
<p><br>
</p>
<p>On that last point, for sure they have been attempted. But the
attackers gave up and moves to better techniques. Eg, see below.<br>
</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:DA3CDC2A-F29D-4675-97A1-7D3A0D727653@flownet.com">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">One example: SSH was born because people discovered that internal attackers were eavesdropping root passwords on ethernet LANs, and hacking into machines. So RSH was updated to add keys & crypto. Problem solved correctly, because attacks were happening, and the solution stopped those attacks.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
The stakes are much higher now. Suggesting that MITM mitigation is useless until people actually start geetting their bank account compromised on the regular seems pretty irresponsible to me.</pre>
</blockquote>
<p><br>
</p>
<p>Well, it's the state of the world we live in - phishing is an
MITM, just a different sort. And when it turned up, the browsers,
the CAs, the mail & web providers were all pretty unified in
ignoring it. They all felt it wasn't their problem, someone else
was "clearly" to blame. And they were too busy defending against
the MITM that wasn't happening to seriously consider the MITM that
was happening. Very responsible people, they even organised
CABForum to make sure this sort of thing got taken seriously.<br>
</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:DA3CDC2A-F29D-4675-97A1-7D3A0D727653@flownet.com">
<pre wrap="" class="moz-quote-pre">I also at this point feel the need to point out that your hypothesis is *quite literally* a conspiracy theory.
</pre>
</blockquote>
<p><br>
</p>
<p>You know the meta-conspiracy theory about consiracy theories,
right? That the term was invented by the CIA to teach the media
to downgrade anyone sniffing around their black ops and
potentially ruining their dirty little game? It works a treat,
once someone is tagged as a conspiracy theorist, their words are
ignored by all right thinking peoples.</p>
<p>Anyway, I think we're repeating arguments in a circle, so I'll
stop here :)<br>
</p>
<p><br>
</p>
<p>iang<br>
</p>
</body>
</html>