W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: 2 questions

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 31 Mar 2015 02:00:23 +0100
Message-ID: <5519F1A7.8090900@cs.tcd.ie>
To: Adrien de Croy <adrien@qbik.com>, Xiaoyin Liu <xiaoyin.l@outlook.com>, Dan Anderson <dan-anderson@cox.net>, "Walter H." <walter.h@mathemainzel.info>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>


On 31/03/15 01:07, Adrien de Croy wrote:
> 
> With MitM all bets are off

Seems to me that claims of the prevalence of MitM are
somewhat exaggerated. The last study I recall of those
in the wild found about 0.41% of requests affected. [1]

So I think any argument of the form "don't do X to try
be more secure or private, since the prevalence of MitM
implies X is pointless" ought be considered bogus at the
~99.5% confidence level, at least according to [1].

I also note that [1] found that those few unfortunate
victims of the MitM attack are terribly served between UA
and MitM as they saw a bunch of short RSA keys (with no PFS)
used. And one would expect that to be the case as a supposedly
"benevolent" MitM will generally decide to prefer crap
security so that their always-negative performance impact
is minimised. (Seeing commensurate security on both sides
of the MitM might even be considered as indicative that
the MitM is more likely malicious and not benevolent? I've
not seen that measurement so far as I recall, so I'm just
speculating there.)

Are there better studies out there with better figures?

If not and 0.41% of crappy security that you get with real
deployments of MitM's is the norm, then we ought be more than
ignoring the MitM deployments - we all (and browsers!) should
be yelling loudly about 'em as we trip over their victims.

Cheers,
S.

[1] http://arxiv.org/abs/1407.7146
Received on Tuesday, 31 March 2015 01:01:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC