- From: Adrien de Croy <adrien@qbik.com>
- Date: Tue, 31 Mar 2015 20:49:02 +0000
- To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Xiaoyin Liu" <xiaoyin.l@outlook.com>, "Dan Anderson" <dan-anderson@cox.net>, "Walter H." <walter.h@mathemainzel.info>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
It's great people are doing work in that area and thanks for posting that link. However I don't know it the conclusion can follow that it's completely bogus to consider the impact of MitM at all and if not now then for all time (I know this wasn't your exact claim). Even the study remarked they got double the result of a previous study. That could be down to better testing, and/or growth in use of MitM in the intervening time period. Without the source to their flash app, it's hard to tell whether there were any issues with the validity of the testing. Also it's hard to know from a google adwords campaign whether you are getting skewed results for instance where there are proxies configured on a whitelist basis (there are many of these) that prevent access to the test site. So I believe the number reported will be on the low side. How much lower than real is for anyone to guess. As to where to draw the line where we consider something to be insignificant or not, is 1% insignificant? 2%? I know the use of MitM is growing (at least in our customer-base). Sure some may be abandoning it, but I'm not really seeing any evidence of that. So maybe in a couple years it could be much higher than 0.41%, and for corporate users I'm certain it is much higher. I don't see the same incentives for ISPs to deploy MitM and there are bigger issues like convincing people to install root certs, which corporate environments don't suffer the same from. So whilst very interesting, I don't know if we can really draw too much from this study alone. It would be very interesting to see the results redone at say yearly intervals. Adrien ------ Original Message ------ From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie> To: "Adrien de Croy" <adrien@qbik.com>; "Xiaoyin Liu" <xiaoyin.l@outlook.com>; "Dan Anderson" <dan-anderson@cox.net>; "Walter H." <walter.h@mathemainzel.info> Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org> Sent: 31/03/2015 2:00:23 p.m. Subject: Re: 2 questions > > >On 31/03/15 01:07, Adrien de Croy wrote: >> >> With MitM all bets are off > >Seems to me that claims of the prevalence of MitM are >somewhat exaggerated. The last study I recall of those >in the wild found about 0.41% of requests affected. [1] > >So I think any argument of the form "don't do X to try >be more secure or private, since the prevalence of MitM >implies X is pointless" ought be considered bogus at the >~99.5% confidence level, at least according to [1]. > >I also note that [1] found that those few unfortunate >victims of the MitM attack are terribly served between UA >and MitM as they saw a bunch of short RSA keys (with no PFS) >used. And one would expect that to be the case as a supposedly >"benevolent" MitM will generally decide to prefer crap >security so that their always-negative performance impact >is minimised. (Seeing commensurate security on both sides >of the MitM might even be considered as indicative that >the MitM is more likely malicious and not benevolent? I've >not seen that measurement so far as I recall, so I'm just >speculating there.) > >Are there better studies out there with better figures? > >If not and 0.41% of crappy security that you get with real >deployments of MitM's is the norm, then we ought be more than >ignoring the MitM deployments - we all (and browsers!) should >be yelling loudly about 'em as we trip over their victims. > >Cheers, >S. > >[1] http://arxiv.org/abs/1407.7146 >
Received on Tuesday, 31 March 2015 20:50:39 UTC