On Tuesday 25 March 2003 15:22, Bill Stewart wrote:
I get the impression that we're talking at cross-purposes here,
with at least two different discussions.
Yep. I haven't counted them up yet, but
the full discussion includes at least 6
disparate threads. The challenge is to
not arbitrarily
That's using a questionable measuring stick.
The damages paid out in a civil suit may be very
different (either higher, or lower) than the true
cost of the misconduct. Remember, the courts are
not intended to be a remedy for all harms, nor could
they ever be. The courts shouldn't be a
On Tuesday 25 March 2003 22:34, Steven M. Bellovin wrote:
Let me quote what the (U.S.) 2nd Circuit Court of Appeals said in the
T.J. Hooper case (60 F.2d 737, 1932):
Indeed in most cases reasonable prudence is in face common prudence;
but strictly it is never its measure; a
At 10:02 PM 3/24/2003 +, David Wagner wrote:
You could take your argument even further and
ask whether any crypto was needed at all.
After all, most attacks have worked by compromising
the endpoint, not by sniffing network traffic.
I'll let you decide whether to count this as a
success story
On Monday 24 March 2003 19:26, bear wrote:
On Mon, 24 Mar 2003, Peter Clay wrote:
On Sun, 23 Mar 2003, Ian Grigg wrote:
Consider this simple fact: There has been no
MITM attack, in the lifetime of the Internet,
that has recorded or documented the acquisition
and fraudulent use of a
On Monday, Mar 24, 2003, at 18:57 US/Eastern, Ed Gerck wrote:
I'm sorry to say it but MITM is neither a fable nor
restricted to laboratory demos. It's an attack available
today even to script kiddies.
For example, there is a possibility that some evil attacker
redirects the traffic from the user's
Jeroen C. van Gelderen wrote:
1. Presently 1% of Internet traffic is protected by SSL against
MITM and eavesdropping.
2. 99% of Internet traffic is not protected at all.
I'm sorry, but no. The bug in MSIE, that prevented the correct
processing of cert path restraints and which led to
On Tuesday, Mar 25, 2003, at 02:20 US/Eastern, Ed Gerck wrote:
Jeroen C. van Gelderen wrote:
1. Presently 1% of Internet traffic is protected by SSL against
MITM and eavesdropping.
2. 99% of Internet traffic is not protected at all.
I'm sorry, but no. The bug in MSIE, that prevented the
At 11:10 PM 03/23/2003 -0500, Ian Grigg wrote:
Consider this simple fact: There has been no
MITM attack, in the lifetime of the Internet,
that has recorded or documented the acquisition
and fraudulent use of a credit card (CC).
(Over any Internet medium.)
One of the major reasons for this, of
At 12:17 AM 3/25/2003 -0500, Ian Grigg wrote:
I'd say, SSL with the cert protection is the
strongest link in the chain. In fact, it's
ludicrously strong. It's like a Chubb vault
lock on a screen door. If we were getting
physical here, the door wouldn't be strong
enough to hold up the lock.
On Tue, 25 Mar 2003, Ian Grigg wrote:
On Monday 24 March 2003 19:26, bear wrote:
him running roughshod over the law. He set up routing tables
to fool DNS into thinking his machine was the shortest distance
from the courthouse where she worked to her home ISP and
eavesdropped on her mail.
Ed Gerck wrote:
BTW, this is NOT the way to make paying for CA certs go
away. A technically correct way to do away with CA certs
and yet avoid MITM has been demonstrated to *exist*
(not by construction) in 1997, in what was called intrinsic
certification -- please see www.mcg.org.br/cie.htm
Phew,
On Tue, 25 Mar 2003, Anne Lynn Wheeler wrote:
the other scenario that has been raised before is that the browsers treat
all certification authorities the same aka if the signature on the
certificate can be verified with any of the public keys in a browser's
public key table ... it is
On Tuesday 25 March 2003 12:07, bear wrote:
On Tue, 25 Mar 2003, Ian Grigg wrote:
Which gets us to the next stage of the
analysis (what did they cost!).
Wait. Time out. good stuff snipped
I don't think mere monetary costs are even germane to
something like this. The costs,
On Tuesday, Mar 25, 2003, at 12:28 US/Eastern, bear wrote:
On Tue, 25 Mar 2003, Anne Lynn Wheeler wrote:
the other scenario that has been raised before is that the browsers
treat
all certification authorities the same aka if the signature on
the
certificate can be verified with any of
Ian Grigg writes:
I don't think mere monetary costs are even germane to
something like this. The costs, publicly and personally,
are of a different kind than money expresses.
I'm sorry to disagree, but I'm sticking to my
cost-benefit analysis: monetary costs are totally
germane. You see, we
Ben Laurie wrote:
Ed Gerck wrote:
;-) If anyone comes across a way to explain it, that does not require study,
please let me know and I'll post it.
AFAICS, what it suggests, in a very roundabout way, is that you may be
able to verify the binding between a key and some kind of DN by
Jeroen van Gelderen wrote:
Heu? I am talking about HTTPS (1) vs HTTP (2). I don't see how the MSIE
bug has any effect on this.
Maybe we're talking about different MSIE bugs, which is not hard to do ;-)
I was referring to the MSIE bug that affects the SSL handshake in HTTPS,
from the context
On Tuesday, Mar 25, 2003, at 13:55 US/Eastern, Ed Gerck wrote:
Jeroen van Gelderen wrote:
Heu? I am talking about HTTPS (1) vs HTTP (2). I don't see how the
MSIE
bug has any effect on this.
Maybe we're talking about different MSIE bugs, which is not hard to do
;-)
I am NOT talking about MSIE
Jeroen van Gelderen wrote:
3. A significant portion of the 99% could benefit from
protection against eavesdropping but has no need for
MITM protection. (This is a priori a truth, or the
traffic would be secured with SSL today or not exist.)
Let me summ up my earlier comments:
On Tue, 25 Mar 2003, Ian Grigg wrote:
On Tuesday 25 March 2003 12:07, bear wrote:
But, luckily, there is a way to turn the above
subjective morass of harm into an objective
hard number: civil suit. Presumably, (you
mentioned America, right?) this injured party
filed a civil suit against the
I get the impression that we're talking at cross-purposes here,
with at least two different discussions. Let's look at several cases:
1 - Sites that have SSL and Expensive Certs that need them and need MITM
protection
1a - These sites, but with other security holes making it easy to break in.
Jeroen van Gelderen wrote:
On Tuesday, Mar 25, 2003, at 14:38 US/Eastern, Ed Gerck wrote:
Let me summ up my earlier comments: Protection against
eavesdropping without MITM protection is not protection
against eavesdropping.
You are saying that active attacks have the same cost as
On Tuesday, Mar 25, 2003, at 14:38 US/Eastern, Ed Gerck wrote:
Jeroen van Gelderen wrote:
3. A significant portion of the 99% could benefit from
protection against eavesdropping but has no need for
MITM protection. (This is a priori a truth, or the
traffic would be secured with SSL
On Tuesday 25 March 2003 13:17, David Wagner wrote:
I'm skeptical. Just because the cost is
subjective doesn't mean we should ignore the cost.
I agree with that ... I was converting the
subjective harm into an objective cost.
I certainly wasn't intending to ignore it :-)
But, luckily, there
Ed Gerck wrote:
Ben Laurie wrote:
Ed Gerck wrote:
;-) If anyone comes across a way to explain it, that does not require study,
please let me know and I'll post it.
AFAICS, what it suggests, in a very roundabout way, is that you may be
able to verify the binding between a key and some kind of DN
At 12:09 PM 3/25/2003 -0800, bear wrote:
ISP's don't want to support encrypted links
because it raises their CPU costs. And mail
clients generally aren't intelligently designed
to handle encrypted email which the mail servers
could just pass through without decrypting and
encrypting.
circa '95
- Original Message -
From: Ed Gerck [EMAIL PROTECTED]
To: Jeroen C. van Gelderen [EMAIL PROTECTED]
Cc: Ian Grigg [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Monday, March 24, 2003 11:20 PM
Subject: Re: Who's afraid of Mallory Wolf?
Jeroen C. van Gelderen wrote:
1. Presently 1
I get the impression that we're talking at cross-purposes here,
with at least two different discussions.
I suspect that the discussion started from commercial motivations;
cf www.systemics.com
/r$
-
The Cryptography
Ben Laurie wrote:
It seems to me that the difference between PGP's WoT and what you are
suggesting is that the entity which is attempting to prove the linkage
between their DN and a private key is that they get to choose which
signatures the relying party should refer to.
PGP's WoT already
On Sun, 23 Mar 2003, Ian Grigg wrote:
Consider this simple fact: There has been no
MITM attack, in the lifetime of the Internet,
that has recorded or documented the acquisition
and fraudulent use of a credit card (CC).
(Over any Internet medium.)
How do you view attacks based on tricking
At 11:10 PM 3/23/2003 -0500, Ian Grigg wrote:
Who's afraid of Mallory Wolf?
slight observations ... i've heard of no cases of credit card number
intercepted on the internet in flight (requiring crypto) ... and no known
cases of MITM attack (requiring certificates)
However there have been some
In message [EMAIL PROTECTED], Ian Grigg writes:
Who's afraid of Mallory Wolf?
Even worse, there's not been any known MITM of
any aggresive form. The only cases known are
a bunch of demos, under laboratory conditions.
They don't count, and MITM remains a theoretical
attack, more the subject of
Grigg counts the benefits of living in a MITM-protected world (no MITM
attacks recorded), as though they would happen with or without MITM
protection. Is there any reason to believe that's this is, in fact,
true? That is, if zero dollars were spent on MITM protection, would
there still be no
At 11:10 PM 3/23/2003 -0500, Ian Grigg wrote:
Automatically generated self-
signed FREEDOM CERTIFICATES, as a convenient
temporary measure until widespread Anonymous-
Diffie-Hellman is deployed in the field, would
appear to strike the quickest and most cost-
effective blow for Browsing Liberty
On Monday 24 March 2003 11:37, Peter Clay wrote:
On Sun, 23 Mar 2003, Ian Grigg wrote:
Consider this simple fact: There has been no
MITM attack, in the lifetime of the Internet,
that has recorded or documented the acquisition
and fraudulent use of a credit card (CC).
(Over any
On Monday 24 March 2003 13:02, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Ian Grigg writes:
Who's afraid of Mallory Wolf?
Even worse, there's not been any known MITM of
any aggresive form. The only cases known are
a bunch of demos, under laboratory conditions.
They don't
Ian Grigg wrote:
By common wisdom, SSL is designed to defeat
the so-called Man in the Middle attack, or
MITM for short.
The question arises, why?
One possible reason: Because DNS is insecure.
If you can spoof DNS, you can mount a MITM attack.
A second possible reason: It's hard to predict
what
Ian Grigg wrote:
...
The analysis of the designers of SSL indicated
that the threat model included the MITM.
On what did they found this? It's hard to pin
it down, and it may very well be, being blessed
with nearly a decade's more experience, that
the inclusion of the MITM in the threat
On Monday 24 March 2003 14:11, David Turner wrote:
Grigg counts the benefits of living in a MITM-protected world (no MITM
attacks recorded), as though they would happen with or without MITM
protection. Is there any reason to believe that's this is, in fact,
true?
That is indeed the question,
On Mon, 24 Mar 2003, Peter Clay wrote:
On Sun, 23 Mar 2003, Ian Grigg wrote:
Consider this simple fact: There has been no
MITM attack, in the lifetime of the Internet,
that has recorded or documented the acquisition
and fraudulent use of a credit card (CC).
(Over any Internet medium.)
On Monday, Mar 24, 2003, at 11:37 US/Eastern, Peter Clay wrote:
On Sun, 23 Mar 2003, Ian Grigg wrote:
Consider this simple fact: There has been no
MITM attack, in the lifetime of the Internet,
that has recorded or documented the acquisition
and fraudulent use of a credit card (CC).
(Over any
. van Gelderen [EMAIL PROTECTED]
To: Peter Clay [EMAIL PROTECTED]
Cc: Ian Grigg [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Monday, March 24, 2003 4:50 PM
Subject: Re: Who's afraid of Mallory Wolf?
On Monday, Mar 24, 2003, at 11:37 US/Eastern, Peter Clay wrote:
On Sun, 23 Mar 2003, Ian Grigg wrote
43 matches
Mail list logo