- From: Chris Palmer <palmer@google.com>
- Date: Thu, 18 Dec 2014 15:49:47 -0800
- To: michael.martinez@xenite.org
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, mozilla-dev-security@lists.mozilla.org, security-dev <security-dev@chromium.org>, blink-dev <blink-dev@chromium.org>
On Thu, Dec 18, 2014 at 3:39 PM, Michael Martinez <michael.martinez@xenite.org> wrote: > You're assuming people don't connect to open wifi hotspots where rogue > routers can be set up by anyone. If thieves are willing to build fake ATM > machines and distribute them to shopping centers across a large geographical > area then they will certainly go to the same lengths to distribute rogue > routers. Indeed, there are many rogue wifi hotspots, and indeed many rogue routers at ISPs (it's definitely not just "last mile" routing that we need to be concerned about). The part you're missing is that the man-in-the-middle attacker needs to present a certificate for the server, say mail.google.com, that was issued by a certification authority *that the client trusts*. Not just any certificate for mail.google.com will do. Now, this is not an insurmountable obstacle to the attacker. But it is non-trivial: the CAs that clients trust are trying hard not to mis-issue certificates. And, we are working to make it even more difficult for attackers, such as with our Certificate Transparency and public key pinning efforts. Before arguing against HTTPS, you should make sure you know how it works. I would encourage you try to mount the attack you describe (only against your own computers, of course!). I think you will find that you won't get very far without a valid certificate issued by a well-known CA.
Received on Thursday, 18 December 2014 23:50:14 UTC