Re: 2 questions

Let’s just say that a certain ISP (or rather, ISPs backed by government agency) in a certain country MITM 100% of all kinds of plaintext traffic, and they disrupt all kinds of encrypted traffic. If HTTP/2 cannot survive such MITM this will effectively disconnect a whole country from the Web.

Let’s just say this will make that certain government agency very happy, since they no longer need to censor anything, as the Web censored itself.

> On Mar 31, 2015, at 09:00, Stephen Farrell <> wrote:
> On 31/03/15 01:07, Adrien de Croy wrote:
>> With MitM all bets are off
> Seems to me that claims of the prevalence of MitM are
> somewhat exaggerated. The last study I recall of those
> in the wild found about 0.41% of requests affected. [1]
> So I think any argument of the form "don't do X to try
> be more secure or private, since the prevalence of MitM
> implies X is pointless" ought be considered bogus at the
> ~99.5% confidence level, at least according to [1].
> I also note that [1] found that those few unfortunate
> victims of the MitM attack are terribly served between UA
> and MitM as they saw a bunch of short RSA keys (with no PFS)
> used. And one would expect that to be the case as a supposedly
> "benevolent" MitM will generally decide to prefer crap
> security so that their always-negative performance impact
> is minimised. (Seeing commensurate security on both sides
> of the MitM might even be considered as indicative that
> the MitM is more likely malicious and not benevolent? I've
> not seen that measurement so far as I recall, so I'm just
> speculating there.)
> Are there better studies out there with better figures?
> If not and 0.41% of crappy security that you get with real
> deployments of MitM's is the norm, then we ought be more than
> ignoring the MitM deployments - we all (and browsers!) should
> be yelling loudly about 'em as we trip over their victims.
> Cheers,
> S.
> [1]

Received on Tuesday, 31 March 2015 21:49:15 UTC