On Oct 16, 2013, at 8:23 AM, Stephen Kent <[email protected]> wrote: > One reason > is that these e-mail access protocols are used in enterprise environment > where passive > wiretapping often not considered a viable attack.
As someone who remembers the switch to Kerberos and then SSH driven by password sniffers in the LAN, including one which got my own password back in the day, I find this assumption grossly unrealistic. You have to REALLY lock-down the LAN, including properly configure high end switches with ARP filtering and/or other layer 3 management, for this assumption to be even remotely plausible. Finally, we must consider passive wiretapping an active attack. The only thing which prevents a passive wiretap from modifying (rather than just monitoring) traffic is almost invariably the will of the attacker, not any technical limitation, since even on-path wiretappers can packet inject, allowing the attacker to trivially promote themselves into a MitM situation in almost all circumstances. -- Nicholas Weaver it is a tale, told by an idiot, [email protected] full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
