>This means a site paying attention to such things could notice a >change in IP address, or, if several users were attacked this way, >notice repeated connections from the same IP. (Granted the MITM >could distribute the queries over a botnet, but it raises the bar >somewhat.) > >I have no idea if sites do such check, just speculation on my part.
You're right, but it's not obvious to me how a site can tell an evil MITM proxy from a benign shared web cache. The sequence of page accesses would be pretty similar. I suppose that you could hope that legitimate HTTPS requests would come direct from the client machine, so requests for multiple users on the same IP would be suspicious, but on networks like AOL's, I wouldn't count on it working that way. R's, John --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com