In message <[EMAIL PROTECTED]>, Ian Grigg writes:
>Who's afraid of Mallory Wolf?

>Even worse, there's not been any known MITM of
>any aggresive form.  The only cases known are
>a bunch of demos, under laboratory conditions.
>They don't count, and MITM remains a theoretical
>attack, more the subject of learnings and design
>exercises than the domain of business or crypto

Sorry, that's flat-out false.  If nothing else, there was a large-scale 
MITM attack on the conference 802.11 net at the 2001 Usenix Security 

Spammers are hijacking BGP prefixes; see
for one such incident.

Eugene Kashpureff was pleaded guilty to domain-name hijacking; used
very slightly differently, that's a MITM attack.  See for

I warned of the possibility of hijacking via routing attacks in 1989,
and via DNS attacks in 1995.  (See the 'papers' directory on my Web
site.)  Given that the attacks were demonstrably feasible, Netscape
would have been negligent not to design for it.  Given that such attacks
or their near cousins have actually occurred, I'd say they were right.

And yes, you're probably right that no one has stolen credit card numbers
that way.  Of course, since the defense was in place before people
had an opportunity to try, one can quite plausibly argue that Netscape
prevented the attack....

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to