- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Fri, 7 May 2010 16:40:59 -0400
On Fri, May 7, 2010 at 4:21 PM, Tab Atkins Jr. <jackalmage at gmail.com> wrote: > On Fri, May 7, 2010 at 10:06 AM, Juuso Hukkanen <juuso_html5 at tele3d.net> wrote: >> 1) Man-in-the-middle problem; which doesn't exists because >> ? ? ? ?a) those are just academic mind games > > You don't get to talk about security anymore. I don't think "academic" is an *entirely* unfair characterization of MITM on the web, actually. MITM is hard enough to pull off on the open web that unless you're a bank or PayPal or something, it's unlikely anyone would bother. In practice, most web developers don't have to worry about MITM. By contrast, something like XSS or SQL injection is often so easy to exploit when it exists that any site is at risk, from botnet operators targeting their outdated software or from script kiddies feeling bored or spiteful. In fact, do you know of *any* examples of MITM attacks being successfully used against a public website? It's not that I doubt that it's happened, but I don't actually know of any specific cases. In principle, you should be able to harvest lots of passwords by dropping some free wireless routers in strategic locations. (There's still an entirely different fatal problem with what you quoted, though: if you aren't worried about MITM, then encryption is pointless to begin with. I don't dispute your conclusion. :) )
Received on Friday, 7 May 2010 13:40:59 UTC