On Thu, Dec 18, 2014 at 3:46 PM, Michael Martinez <
michael.martinez@xenite.org> wrote:
>
> No, what I am saying is that you can bypass the certificate for a MITM
> attack via a new technique that was published earlier this year.
>
Citation needed.
Earlier this year, you made these two G+ posts suggesting HTTPS is broken:
https://plus.google.com/102255413942524311706/posts/bBMdzq8Z3vF
Google, the great champion of HTTPS/SSL, cannot prevent yet more
man-in-the-middle attacks against its users:
http://www.theregister.co.uk/2014/11/21/hackers_snaffling_smartphone_secrets_with_redirection_attack/
https://plus.google.com/102255413942524311706/posts/LjKu1UfraXR
If your company is serious about using HTTPS it has to do it right (not
that it will matter, but don't throw your money away on bad
implementation).
http://www.darkreading.com/endpoint/the-week-when-attackers-started-winning-the-war-on-trust-/a/d-id/1317657
The first link is about an ARP-poisoning man-in-the-middle attack that has
nothing to do with HTTPS/SSL, the article doesn't mention "HTTPS" or "SSL",
and in fact the attack would have been *prevented* by HTTPS/SSL.
The second link is about how mismanaging your web server can compromise
HTTPS's added security benefits (e.g., using long-unsupported MD5
certificates or revealing your SSL secret key). That's true, but
misleading: the risks are no more severe than if you mismanage an HTTP-only
server.
You seem to be arguing that people shouldn't be encouraged to lock their
doors when leaving because sometimes they forget to lock their windows.
But actually we need to encourage people to do *both*.