Ian Grigg wrote:
We've been in the SSL business
for 10 years now, as a community (I don't mean
me, as such). Billions or Trillions of events
have occurred. Once we get to a certain number,
we get enough stats to be able to say things
with a fair degree of certainty. We know that
the major threats are: spam, viruses, hacking,
and soon, phishing. We know that the "didn't
happen" threats are eavesdropping and MITM.
No, we know that eavesdropping and MITM have not been widely and
publicly reported. We definitely do NOT know they "didn't happen".
Believe it or not, MITM is not a defined crime in the USA.
If a service provider (ISP, mail service provider, proxy
server provider, etc.) has an agreement with all its users
that allows it (perhaps in very vague language) to observe
and take note of all the traffic that passes through it,
then it probably can legally do MITM; AND anyone who would
accuse it of wrong doing could be VERY liable for doing so,
even if they could prove it. Indeed, I have seen user agreements
where the user agrees to hold the service provider harmless from
damages arising from the provider's use of the user's data. (!)
When trying to estimate MITM, don't think of kids doing it,
think big time. When your ISP tells you that you must download
and install some software to use their service, well, it would be
a good idea to look at your CA lists (IE's and mozilla's) before
and after doing so.
There are numerous programs available that claim to observe all
the changes an installer program makes to your system, and show
them to you or even undo them. I haven't yet seen any that capture
root CA list additions.
There's probably a piece missing in this
conversation. Frankly, revocation is considered
to be a highly dubious feature, and not one that
"makes or breaks the system."
I'm sure that that's how consumers and PGP users see it.
That's not AT ALL how most enterprise or government IT departments
see it.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
