I'm a bit puzzled by this "UKS" (Unknown Key Share) attack concept.
The attack scenario, presented in section 2 of
is that a user connects to the "attacker" site (say google.com) but
actually google.com has published Facebook.com's public key and is a
man-in-the-middle (MITM) forwarding all the traffic to facebook.com.
Now this MITM can't actually read or modify any of the traffic, they
are just a passive conduit. The most they can see is the timing of
the traffic and the number of bytes involved. The user sees
Facebook's site, secured with Facebook's key, even though they
connected to google.com. (How or why the user was somehow convinced
to connect to google.com while seeking facebook.com is unexplained.)
So the threat is... uh... ?
... something about some cross-origin scripting firewall policy
elsewhere in the system?
Why do we care?
dane mailing list