User: Password:
|
|
Subscribe / Log in / New account

Man in the middle

Man in the middle

Posted Jan 4, 2008 15:07 UTC (Fri) by rfunk (subscriber, #4054)
Parent article: The future of unencrypted web traffic

The paragraph about signed certificates misses an important point.  The 
only thing keeping an ISP from proxying https traffic and effectively 
mounting a man-in-the-middle attack is the browser's certificate check.  
And if the end-user just clicks through the browser warnings, using https 
instead of http does nothing to prevent the ISP from messing with content.


(Log in to post comments)

Man in the middle

Posted Jan 5, 2008 13:38 UTC (Sat) by copsewood (subscriber, #199) [Link]

An ISP doing this would be carrying out a misrepresentation. In some jurisdictions this would
be a forgery offence, in others plain and simple fraud. In the UK it would classify as
preparing/planning for unauthorised access and theft of data within the computer misuse and
data protection acts. Even if a private prosecution against such an ISP failed, the bad
publicity would cost it more than it might have to gain. The Sony rootkit is a similar example
and frankly I'm surprised that prosecutions did not take place over it. 

There seems to be an attitude here that large companies are above the law; that it does not
apply to them, but this is partly because the rudimentary laws which do cover the digital
domain are widely misunderstood and not yet adequately tested in court in such cases of
corporate abuse.

Technically the way to defeat this involves DNSSEC and a certificate forest with trees rooted
at the top-level domains established and maintained as part and parcel of DNS domain
registration and renewal.

Man in the middle

Posted Jan 5, 2008 16:29 UTC (Sat) by rfunk (subscriber, #4054) [Link]

I'm not qualified to say much about the legal aspects in any country, though the 
combination of big companies and technology often makes for a lack of reason in the 
judicial world.

But your DNSSEC solution does nothing to protect against the ISP doing a MIM attack.  
The scenario I was talking about doesn't depend on DNS forgery at all.  That's the 
advantage the ISP has that other attackers don't have.

Man in the middle

Posted Jan 7, 2008 1:19 UTC (Mon) by copsewood (subscriber, #199) [Link]

If DNSSEC secures the DNS and DNS domain registration includes provision of certificates this
makes having certificates as routine as registering a domain. 

Man in the middle

Posted Jan 7, 2008 2:10 UTC (Mon) by rfunk (subscriber, #4054) [Link]

Sorry, you're apparently still not understanding my point.  Or I'm not getting yours.  Or 
both.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds