On Monday 24 March 2003 13:02, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, Ian Grigg writes:
> >Who's afraid of Mallory Wolf?
> >
> >
> >Even worse, there's not been any known MITM of
> >any aggresive form.  The only cases known are
> >a bunch of demos, under laboratory conditions.
> >They don't count, and MITM remains a theoretical
> >attack, more the subject of learnings and design
> >exercises than the domain of business or crypto
> >engineering.
> Sorry, that's flat-out false.  If nothing else, there was a large-scale 
> MITM attack on the conference 802.11 net at the 2001 Usenix Security 
> Symposium.

Thanks Steve, now we are getting closer.
802.11b is where I'd been expecting it to
happen, as the costs of the MITM come
right down there.

Would you characterise the attack as a
bunch of techies mucking around, or would
you characterise it as an aggressive attempt
to gain a commercial advantage?  I.e., did
the attackers steal anything?  Or did they
just annoy people by showing how cool
they were?

I would surmise that's a techie conference, and
is thus a demonstration, not a measurable

> Spammers are hijacking BGP prefixes; see 
> http://www.merit.edu/mail.archives/nanog/2002-10/msg00068.html
> for one such incident.

I'm can't see clearly whether this is
an MITM or a spoofing - did they stand
in the middle and listen and divert?

Or, did they just tell innocent servers
to start re-routing traffic?  It seems
like an announcement of routes, and
the listeners just believed...

(But, it is an aggressive attack, someone
tried to steal traffic for commercial gain.)

I think you may be right in that my
use of the term MITM is too broad.
The cert in SSL protects against a
cryptographic MITM in, for example,
an ADH session.

But, MITMs outside that are important
measurable risks so we can create our
threat model.  The fact that this attack
appears not to be analogous to the
SSL-style MITM may or may not be

> Eugene Kashpureff was pleaded guilty to domain-name hijacking; used
> very slightly differently, that's a MITM attack.  See
> http://www.usdoj.gov/criminal/cybercrime/kashpurepr.htm for
> details.

>From what I recall, this was a "demo".

He didn't do it to steal.  He did it to
highlight the business aspects.  Sadly
for him, he miscalculated (grossly, it
seems).  But, his case fits in the sense
of "not a criminal seeking to steal value,"
and therefore not a case of measurable

> I warned of the possibility of hijacking via routing attacks in 1989,
> and via DNS attacks in 1995.  (See the 'papers' directory on my Web
> site.)

I certainly accept them as possible.

That's not disputed, and never has
been, as indeed, that was the whole
thrust of the discussion:  The SSL
designers put the protection in
because the threat was possible.

They quite rightly offered the choice
in the protocols.  Where I am concerned
is that they also wrongly forced the
certificate path on browsers and
servers.  To our detriment, and to

> Given that the attacks were demonstrably feasible, Netscape
> would have been negligent not to design for it.  Given that such attacks
> or their near cousins have actually occurred, I'd say they were right.

No, I'm afraid that does not hold.  The
reason we protect against attacks is
because when they happen, they incur
costs.  But, designing in protection also
incurs costs.  We must do a cost-benefit
analysis to decide if it is appropriate to
protect against it.

To say that attacks are "feasible" and
therefore must be defended against is
not how we work.  We can guaruntee
that you are immune to car accidents,
simply by asking you to stay at home.
You (probably) chose not to do so,
because you chose to enjoy the higher
benefit of travelling, as against the
smaller expected cost of a suffering
an accident.

> And yes, you're probably right that no one has stolen credit card numbers
> that way.  Of course, since the defense was in place before people
> had an opportunity to try, one can quite plausibly argue that Netscape
> prevented the attack....

Right.  But it's an empty argument if there
is no need.  We don't carry umbrellas when
the sun is shining, only when the sky is grey.
And, we don't build meteorite protection at
all, even though we could, and they happen!

We use information about real threats and
how they hurt us to decide whether to
worry about them.  And that's why the
question about MITMs is so key!

The question is, is there a need?  From
several economic points of view, the need
fails to show itself.  And, the cost is quite
high, both in cash, and lost security.

Taking your links above at face value, I'll
assume that the cost of stolen/hijacked IP
number there was about $10,000 in lost
business and customers being annoyed
at unexpected porn.

Say that happens once a metric month to
some random victim  ... or, $100,000 per
year.  That cost simply fails to justify any
level of signed-certificate infrastructure, so,
I'd conclude that the BGP protocol designers
have done exactly the right thing in not
deploying certs, and saved the users a bundle.

(And, Netscape has done exactly the wrong
thing by setting up CA-signed certs as

The fact that the MITM is possible, doesn't
make for a need.  Especially when we are
all paying O($100m) per year for that possibility.

Thanks for the MITM pointers.  I'm going
to have to look deeper into that BGP think
to see whether I'm wrong on the "none at all"
case.  MITMs are going to happen one day,
and then, we will be able to properly measure
the costs.  That's where we want to be!


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to