Ian G wrote, On 2008-10-18 12:32:

> This is the pathological problem with MITM protection that has
> existed from day 1 of SSL:  it was a solution in advance of a
> problem.  Given that the solution was theoretical, and the problem
> had no practical existence (until recently), the solution could
> never be trialled against a real attacker.  Add in some complexity,
> hello brittleness, meet shatter!

Be careful not to confuse and conflict the MITM detection properties
of SSL with the MITM resistance properties of the browser UI.

As we see in this case, SSL did not fail to detect a single one of the
attacks, but the browser UI allowed the value of that detection to be lost.

Failure of browser UI is not a bad reflection on SSL, except to the extent
that people who write about this confuse the two.
dev-tech-crypto mailing list

Reply via email to