[17274] in cryptography@c2.net mail archive
Re: What happened with the session fixation bug?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue May 31 11:57:25 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com, cypherpunks@lne.com
In-Reply-To: Your message of "Sat, 07 May 2005 14:03:07 PDT."
<427CCA9B.29132.760A1FC@localhost>
Date: Mon, 30 May 2005 21:17:57 -0400
In message <427CCA9B.29132.760A1FC@localhost>, "James A. Donald" writes:
> --
>PKI was designed to defeat man in the middle attacks
>based on network sniffing, or DNS hijacking, which
>turned out to be less of a threat than expected.
>
First, you mean "the Web PKI", not PKI in general.
The next part of this is circular reasoning. We don't see network
sniffing for credit card numbers *because* we have SSL. Since many of
the worm-spread pieces of spyware incorporate sniffers, I'd say that
part of the threat model is correct.
As for DNS hijacking -- that's what's behind "pharming" attacks. In
other words, it's a real threat, too.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
