On Thu, Dec 18, 2014 at 3:46 PM, Michael Martinez < michael.martinez@xenite.org> wrote: > > No, what I am saying is that you can bypass the certificate for a MITM > attack via a new technique that was published earlier this year. > Citation needed. Earlier this year, you made these two G+ posts suggesting HTTPS is broken: https://plus.google.com/102255413942524311706/posts/bBMdzq8Z3vF Google, the great champion of HTTPS/SSL, cannot prevent yet more man-in-the-middle attacks against its users: http://www.theregister.co.uk/2014/11/21/hackers_snaffling_smartphone_secrets_with_redirection_attack/ https://plus.google.com/102255413942524311706/posts/LjKu1UfraXR If your company is serious about using HTTPS it has to do it right (not that it will matter, but don't throw your money away on bad implementation). http://www.darkreading.com/endpoint/the-week-when-attackers-started-winning-the-war-on-trust-/a/d-id/1317657 The first link is about an ARP-poisoning man-in-the-middle attack that has nothing to do with HTTPS/SSL, the article doesn't mention "HTTPS" or "SSL", and in fact the attack would have been *prevented* by HTTPS/SSL. The second link is about how mismanaging your web server can compromise HTTPS's added security benefits (e.g., using long-unsupported MD5 certificates or revealing your SSL secret key). That's true, but misleading: the risks are no more severe than if you mismanage an HTTP-only server. You seem to be arguing that people shouldn't be encouraged to lock their doors when leaving because sometimes they forget to lock their windows. But actually we need to encourage people to do *both*.
Received on Friday, 19 December 2014 00:04:36 UTC