On Monday 24 March 2003 13:02, Steven M. Bellovin wrote: > In message <[EMAIL PROTECTED]>, Ian Grigg writes: > >Who's afraid of Mallory Wolf? > > > > > > >Even worse, there's not been any known MITM of > >any aggresive form. The only cases known are > >a bunch of demos, under laboratory conditions. > >They don't count, and MITM remains a theoretical > >attack, more the subject of learnings and design > >exercises than the domain of business or crypto > >engineering. > > Sorry, that's flat-out false. If nothing else, there was a large-scale > MITM attack on the conference 802.11 net at the 2001 Usenix Security > Symposium.
Thanks Steve, now we are getting closer. 802.11b is where I'd been expecting it to happen, as the costs of the MITM come right down there. Would you characterise the attack as a bunch of techies mucking around, or would you characterise it as an aggressive attempt to gain a commercial advantage? I.e., did the attackers steal anything? Or did they just annoy people by showing how cool they were? I would surmise that's a techie conference, and is thus a demonstration, not a measurable risk. > Spammers are hijacking BGP prefixes; see > http://www.merit.edu/mail.archives/nanog/2002-10/msg00068.html > for one such incident. I'm can't see clearly whether this is an MITM or a spoofing - did they stand in the middle and listen and divert? Or, did they just tell innocent servers to start re-routing traffic? It seems like an announcement of routes, and the listeners just believed... (But, it is an aggressive attack, someone tried to steal traffic for commercial gain.) I think you may be right in that my use of the term MITM is too broad. The cert in SSL protects against a cryptographic MITM in, for example, an ADH session. But, MITMs outside that are important measurable risks so we can create our threat model. The fact that this attack appears not to be analogous to the SSL-style MITM may or may not be relevant. > Eugene Kashpureff was pleaded guilty to domain-name hijacking; used > very slightly differently, that's a MITM attack. See > http://www.usdoj.gov/criminal/cybercrime/kashpurepr.htm for > details. >From what I recall, this was a "demo". He didn't do it to steal. He did it to highlight the business aspects. Sadly for him, he miscalculated (grossly, it seems). But, his case fits in the sense of "not a criminal seeking to steal value," and therefore not a case of measurable risk. > I warned of the possibility of hijacking via routing attacks in 1989, > and via DNS attacks in 1995. (See the 'papers' directory on my Web > site.) I certainly accept them as possible. That's not disputed, and never has been, as indeed, that was the whole thrust of the discussion: The SSL designers put the protection in because the threat was possible. They quite rightly offered the choice in the protocols. Where I am concerned is that they also wrongly forced the certificate path on browsers and servers. To our detriment, and to theirs.) > Given that the attacks were demonstrably feasible, Netscape > would have been negligent not to design for it. Given that such attacks > or their near cousins have actually occurred, I'd say they were right. No, I'm afraid that does not hold. The reason we protect against attacks is because when they happen, they incur costs. But, designing in protection also incurs costs. We must do a cost-benefit analysis to decide if it is appropriate to protect against it. To say that attacks are "feasible" and therefore must be defended against is not how we work. We can guaruntee that you are immune to car accidents, simply by asking you to stay at home. You (probably) chose not to do so, because you chose to enjoy the higher benefit of travelling, as against the smaller expected cost of a suffering an accident. > And yes, you're probably right that no one has stolen credit card numbers > that way. Of course, since the defense was in place before people > had an opportunity to try, one can quite plausibly argue that Netscape > prevented the attack.... Right. But it's an empty argument if there is no need. We don't carry umbrellas when the sun is shining, only when the sky is grey. And, we don't build meteorite protection at all, even though we could, and they happen! We use information about real threats and how they hurt us to decide whether to worry about them. And that's why the question about MITMs is so key! The question is, is there a need? From several economic points of view, the need fails to show itself. And, the cost is quite high, both in cash, and lost security. Taking your links above at face value, I'll assume that the cost of stolen/hijacked IP number there was about $10,000 in lost business and customers being annoyed at unexpected porn. Say that happens once a metric month to some random victim ... or, $100,000 per year. That cost simply fails to justify any level of signed-certificate infrastructure, so, I'd conclude that the BGP protocol designers have done exactly the right thing in not deploying certs, and saved the users a bundle. (And, Netscape has done exactly the wrong thing by setting up CA-signed certs as required.) The fact that the MITM is possible, doesn't make for a need. Especially when we are all paying O($100m) per year for that possibility. Thanks for the MITM pointers. I'm going to have to look deeper into that BGP think to see whether I'm wrong on the "none at all" case. MITMs are going to happen one day, and then, we will be able to properly measure the costs. That's where we want to be! -- iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]