LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Man in the middle

Man in the middle

Posted Jan 5, 2008 13:38 UTC (Sat) by copsewood (subscriber, #199)
In reply to: Man in the middle by rfunk
Parent article: The future of unencrypted web traffic 

An ISP doing this would be carrying out a misrepresentation. In some jurisdictions this would
be a forgery offence, in others plain and simple fraud. In the UK it would classify as
preparing/planning for unauthorised access and theft of data within the computer misuse and
data protection acts. Even if a private prosecution against such an ISP failed, the bad
publicity would cost it more than it might have to gain. The Sony rootkit is a similar example
and frankly I'm surprised that prosecutions did not take place over it. 

There seems to be an attitude here that large companies are above the law; that it does not
apply to them, but this is partly because the rudimentary laws which do cover the digital
domain are widely misunderstood and not yet adequately tested in court in such cases of
corporate abuse.

Technically the way to defeat this involves DNSSEC and a certificate forest with trees rooted
at the top-level domains established and maintained as part and parcel of DNS domain
registration and renewal.

(Log in to post comments)

Man in the middle

Posted Jan 5, 2008 16:29 UTC (Sat) by rfunk (subscriber, #4054) [Link] 

I'm not qualified to say much about the legal aspects in any country, though the 
combination of big companies and technology often makes for a lack of reason in the 
judicial world.

But your DNSSEC solution does nothing to protect against the ISP doing a MIM attack.  
The scenario I was talking about doesn't depend on DNS forgery at all.  That's the 
advantage the ISP has that other attackers don't have.

Man in the middle

Posted Jan 7, 2008 1:19 UTC (Mon) by copsewood (subscriber, #199) [Link] 

If DNSSEC secures the DNS and DNS domain registration includes provision of certificates this
makes having certificates as routine as registering a domain.

Man in the middle

Posted Jan 7, 2008 2:10 UTC (Mon) by rfunk (subscriber, #4054) [Link] 

Sorry, you're apparently still not understanding my point.  Or I'm not getting yours.  Or 
both.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds