On Nov 20, 2013, at 3:42 PM, Nicholas Weaver <[email protected]> wrote: > We need to consider the network transporting our data as an active attacker, > not just one which can observer/wiretap, but one that is both outside our > control and willing to serve as a vehicle for attacking the end systems. Its > always been this way, but the recent behavior of the NSA/GCHQ has ensured > that the pleasant fiction of the network's lack of hostility is no longer > acceptable.
The thing that hit me from this article that I really just hadn't fully understood previously is that any web site that displays personalized information per user that can be easily parsed now serves as a way to do a targeted attack on an individual or on individuals who work for an organization. So if you read slashdot or tumblr, for example, both of which display personally identifying information on their home pages if you are logged in, then an MiTM attacker can listen on the link the server is connected to and trigger on HTTP responses to you, and then attack you specifically, without revealing the attack to anyone else. So this starts as a pervasive passive attack, essentially, and then turns into an active attack only for the targeted user or users. This can be mitigated in several ways—obviously https-everywhere will address the problem, but also if the web site simply doesn't display personally identifying information in their outgoing traffic, then the passive attack isn't possible. Of course, if the attacker knows your IP address, then they don't need to scrape the HTTP response, but attackers don't necessarily have that information, particularly if what they are doing is illegal in the country you live in. So there's real value in being aware of this threat model and trying to mitigate it. Specifically, maybe the IETF (or someone) should be recommending that web sites not display personally identifying information about logged-in users except over TLS connections. Certainly we should document this threat model and try to raise awareness about it. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
