This will be my last post on this issue. I promise. > > I still don't understand where you're disagreeing with me.
> Your attack includes things like hijacking and redirection, which is not > part of an MITM attack. Your postings also seem to come down on both > sides of "succesful" as to whether or not that is part of MITM. The MITM owns the middle. If the two parties are the client and the server, the 'middle' is the network. The MITM takes over the communication channel between A and B and can do anything he wants with it. > If the MITM isn't intercepting or modifying the traffic *between A and B* > it is not MITM. If A and B -- the participants that originally intended > to communicate -- don't end up having (compromised) communication, than it > is not MITM. If a protocol involves, for example, DNS, then you have to consider the DNS infrastructure as another party to the protocol. Thus the MITM also gets to control the traffic to and from that infrastructure as well. If there's more than 2 parties to a protocol, the MITM controls all the traffic between the parties. There is no law that says the MITM must pass any traffic to any particular party. If he can get plaintext out of A without sending anything ever to B, then he has won and he's still a man in the middle. The key is that he can intercept and control any traffic sent by one party to the protocol to any other party to the protocol. > If there's "out of band" signalling that the A:B comm channel has been > attacked, than the protocol is *not* protected against MITM. Or, you must > include the OOB information as part of the protocol. :) Right. What I'm saying is that the MITM definition says the MITM can modify the data "without the knowledge of any of the parties". That doesn't mean that the MITM must somehow prohibit the parties from finding out he's there, it simply means that the parties don't automatically know he's there unless he figures it out for himself. If party B figures out the MITM is there, but he still gets some of the plaintext party A intended only party B to get, the MITM still wins. There is a successful MITM attack if the MITM can violate any of the properties the parties exepected the protocol to have. > PS: 35 web sites either got the definition wrong, or weren't clear enough > for you to understand? I'm not swayed. The thing is, every crypto textbook and every web site I can find agrees with me -- the MITM owns the middle. RC2825 (in a section about TLS): "Unless comparison of domain names is properly defined, the client may either fail to match the domain name of a legitimate server, or match incorrectly the domain name of a server performing a man-in-the- middle attack. Either failure could enable attacks on systems that are now impossible or at least far more difficult." DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]