<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.26.3">
On Fri, 2010-05-07 at 16:40 -0400, Aryeh Gregor wrote:
On Fri, May 7, 2010 at 4:21 PM, Tab Atkins Jr. <<A HREF="mailto:email@example.com">firstname.lastname@example.org</A>> wrote:
> On Fri, May 7, 2010 at 10:06 AM, Juuso Hukkanen <<A HREF="mailto:email@example.com">firstname.lastname@example.org</A>> wrote:
>> 1) Man-in-the-middle problem; which doesn't exists because
>> a) those are just academic mind games
> You don't get to talk about security anymore.
I don't think "academic" is an *entirely* unfair characterization of
MITM on the web, actually. MITM is hard enough to pull off on the
open web that unless you're a bank or PayPal or something, it's
unlikely anyone would bother. In practice, most web developers don't
have to worry about MITM. By contrast, something like XSS or SQL
injection is often so easy to exploit when it exists that any site is
at risk, from botnet operators targeting their outdated software or
from script kiddies feeling bored or spiteful.
In fact, do you know of *any* examples of MITM attacks being
successfully used against a public website? It's not that I doubt
that it's happened, but I don't actually know of any specific cases.
In principle, you should be able to harvest lots of passwords by
dropping some free wireless routers in strategic locations.
(There's still an entirely different fatal problem with what you
quoted, though: if you aren't worried about MITM, then encryption is
pointless to begin with. I don't dispute your conclusion. :) )
Maybe not exactly what you had in mind, but it is a man-in-the-middle in a sort of sense.<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">