----- Original Message ----- 
From: "Tom Otvos" <[EMAIL PROTECTED]>

> As far as I can glean, the general consensus in WYTM is that MITM attacks
are very low (read:
> inconsequential) probability.

I'm not certain this was the consensus.

We should look at the scenarios in which this is possible, and the tools
are available to accomplish the attack.  I would say that the attack is more
easily done inside a local network (outside the network you have to get
of the ISP or some node, and this is more for the "elite").
But statistics show that most exploits are accomplished because of employees
within a company (either because they are not aware of basic security
or because the malicious person was an employee within), so I find this
(attack from inside the network) to be plausible.

Take for an example a large corporation of 100 or more employees, there has
got to be a couple of people that do on-line purchasing from work, on-line
banking, etc...  I would say that it is possible that an employee (just
curious, or
really malicious) would want to intercept these communications....

So how difficult is it to launch an MITM attack on https?  Very simple it
seems.  My hacker friends pointed out to me two softwares, ettercap and

Cain is the newest I think, and remarkably simple to use.  It has a very
GUI and it doesn't take much hacking ability to use it.  I've been using it
recently for educational purposes and find it very easy to use, and I don't
consider myself a hacker.

Cain allows you to do MITM (in HTTPS, DNS and SSHv1) on a local
network.  It can generate certificates in real time with the same common
name as the original.  The only thing is that the certificate will probably
be signed by a trusted CA, but most users are not security aware and
will just continue despite the warning.

So given this information, I think MITM threats are real.  Are these attacks
being done in practice?  I don't know, but I don't think they would easily
be reported if they were, so you  can guess what my conclusion is...


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to