Re: 2 questions

--------
In message <551B0C46.8040705@cs.tcd.ie>, Stephen Farrell writes:

>Meanwhile, the take-away is clearly that MitM deployment is one of
>those things that's (ab:-)used about 0.41% of the time and should
>be treated as such and that claims to the contrary are anecdotal.

Sorry for being the "one sheep which looks like it is black on at least
one side" guy:

As interesting as that study was, its results does not support your
rather flippant and arrogant marginalization of MitM as an issue.

What the study documents is that MitM, in two short periods of last
year was *detected* in about 0.41% of a particular small traffic
sample.

The main problem is that we have absolutely *no* idea what the
studys global probability of MitM detection was, which dumps us
right into the deep end of the type I/II error pool.  (ie: no mobiles
because they lack Flash, only webpages serving certain AdWords etc.)

The secondary problem is that the traffic sample is in no way
representative of the total traffic in the internet. (ie: Adwords
again and only return traffic to a particular destination.)

The study is therefore at best an "existence proof" study and at
most we can with *some* confidence say that the amount of MitM is
unlikely to be significantly *less* than 0.41% on a global scale.

But much more importantly, the study says absolutely nothing about
how important to society the 0.41% or the corresponding undetected
shadow number might be.

First, rememeber that just because it is a small number doesn't
mean it is unimportant:  The homicide rate in USA is 4.7 per 100,000
population, two orders of magnitude below 0.41%, but no sane person
thinks we can disband the police homicide units because it is a
small number "and claims to the contrary are anecdotal".

In particular it is worth pointing out that the studys methods would
entirely fail to detect legal and court-approved MitM as part of
criminal investigations, since they usually only MitM particular
destinations and often with certs which looks surprisingly valid.

Privacy is not a technical problem with a technical solution,
it is a political problem, and must be solved with political means.

Poul-Henning

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Tuesday, 31 March 2015 22:21:42 UTC