On Fri, May 7, 2010 at 4:21 PM, Tab Atkins Jr. <[email protected]> wrote: > On Fri, May 7, 2010 at 10:06 AM, Juuso Hukkanen <[email protected]> > wrote: >> 1) Man-in-the-middle problem; which doesn't exists because >> a) those are just academic mind games > > You don't get to talk about security anymore.
I don't think "academic" is an *entirely* unfair characterization of MITM on the web, actually. MITM is hard enough to pull off on the open web that unless you're a bank or PayPal or something, it's unlikely anyone would bother. In practice, most web developers don't have to worry about MITM. By contrast, something like XSS or SQL injection is often so easy to exploit when it exists that any site is at risk, from botnet operators targeting their outdated software or from script kiddies feeling bored or spiteful. In fact, do you know of *any* examples of MITM attacks being successfully used against a public website? It's not that I doubt that it's happened, but I don't actually know of any specific cases. In principle, you should be able to harvest lots of passwords by dropping some free wireless routers in strategic locations. (There's still an entirely different fatal problem with what you quoted, though: if you aren't worried about MITM, then encryption is pointless to begin with. I don't dispute your conclusion. :) )
