On Mon, 24 Mar 2003, Peter Clay wrote:

>On Sun, 23 Mar 2003, Ian Grigg wrote:
>> Consider this simple fact:  There has been no
>> MITM attack, in the lifetime of the Internet,
>> that has recorded or documented the acquisition
>> and fraudulent use of a credit card (CC).
>> (Over any Internet medium.)

There have, however, been numerous MITM attacks for stealing
or eavesdropping on email.  A semi-famous case I'm thinking
of involves a rabid baptist minister named fred phelps and
a topeka city councilwoman who had the audacity to vote against
him running roughshod over the law.  He set up routing tables
to fool DNS into thinking his machine was the shortest distance
from the courthouse where she worked to her home ISP and
eavesdropped on her mail.  Sent a message to every fax machine
in town calling her a "Jezebellian whore" after getting the
skinny on the aftermath of an affair that she was discussing
with her husband.

And as for theft of credit card numbers, the lack of MITM
attacks directly on them is just a sign that other areas of
security around them are so loose no crooks have yet had to
go to that much trouble.  Weakest link, remember?  No need
to mount a MITM attack if you're able to just bribe the data
entry clerk.  Just because most companies' security is so
poor that it's not worth the crook's time and effort doesn't
mean we should throw anyone who takes security seriously
enough that a MITM vulnerability might be the weakest link
to the wolves.

>How do you view attacks based on tricking people into going to a site
>which claims to be affiliated with e.g. Ebay or Paypal, getting them to
>enter their login information as usual, and using that to steal money?

These, technically speaking, are impostures, not MITM attacks.  The
web makes it ridiculously easy.  You can use any linktext or graphic
to link to anywhere, and long cryptic URL's are sufficiently standard
practice that people don't actually look at them any more to notice a
few characters' difference.

On the occasions where people have actually spoofed DNS to route the
"correct" URL to the "wrong" server in order to get info on people's
accounts, that is a full-on MITM attack. And that definitely has
happened.  I'm surprised to hear someone claim that credit card
numbers haven't been stolen that way. I've been more concerned about
email than credit cards, so I don't know for sure, but if credit cards
haven't been stolen this way then the guys who want them are way
behind the guys who want to eavesdrop on email.

>> [2] AFAIR, Anonymous-Diffie-Hellman, or ADH, is
>> inside the SSL/TLS protocol, and would represent
>> a mighty fine encrypted browsing opportunity.
>> Write to your browser coder today and suggest
>> its immediate employment in the fight against
>> the terrorists with the flappy ears.

> Just out of interest, do you have an economic cost/benefit analysis
> for the widespread deployment of gratuitous encryption?

This is a simple consequence of the fact that the main market for SSL
encryption is financial transactions.  And no credit card issuer wants
fully anonymous transactions; it leaves them holding the bag if
anything goes wrong.  Anonymous transactions require a different
market, which has barely begun to make itself felt in a meaningful way
(read: by being willing to pay for it) to anyone who has pockets deep
enough to do the development.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to