Re: 2 questions

On Tue, Mar 31, 2015 at 9:45 PM, Amos Jeffries <> wrote:

> I, Adrien, Willy, PHK have been stating that MITM exist already in TLS
> *and are increasing*. The research you point out supports that
> statement, they saw TLS MITM rates double within just last year. With
> growth of malware instances almost tripling.
> The call we are making is to avoid doing things which encourage that
> growth to increase any further. S

​What seems odd here is that the calls that you make are apparently for
avoiding things which encourage TLS MiTM by permitting things that allow
MiTM without TLS; what that gains in terms of human rights is baffling.  It
simply lowers the cost of MiTM.

The issue isn't that it is "TLS MiTM", it's "MiTM" with whatever modifier
you like.

Encouraging efforts like acme to support easy enrolment in certificate
pinning schemes, for example, seems like a far better use of time than
trying to persuade people worrying about MiTM attacks that TLS doesn't
help, at least to me.

But your mileage may vary, and apparently does.


Received on Wednesday, 1 April 2015 21:31:01 UTC