[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bold Assertion: there are no Men in the Middle
-----BEGIN PGP SIGNED MESSAGE-----
I have the intuition that there has never been a successful
MITM attack which has subverted the use of PGP
authentication. If we could be sure of this hypothesis,
then we could go about creating a strongly linked Web O
Trust and then use it from now until such a future time as
1024-bit PGP keys are brute forceable. We could also use
it to bootstrap bigger keys, a wider and more strongly-
connected Web O Trust, etc.
I can't think of any good way to test this hypothesis,
however. One thing that we _could_ test is the difficulty
of performing such an attack.
If I had the cash, I would post a reward for anyone who
could successfully run a demo MITM attack on two
unsuspecting stooges. I would (of course) specify with more
precision what would constitute a successful attack, how it
would be proven to me that the attack was successful and so
forth.
But I don't have sufficient cash to motivate such a trick,
and there would be some very complicated ethical and
logistic questions about performing it.
I still have a strong intuition that I could keep my cash if
I made such a proposal and gave it a few simple stipulations
(such as that the attacker would have to forge important
material in the victim's name rather than just use the
attack to eavesdrop...). The successful attacker would
have to have the ability to get in the middle of TCP/IP
connections as well as perhaps telephone connections, as
well as have formidable computational and
"social-engineering" (really: "-cracking") resources.
more later,
Bryce
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2
iQB1AwUBMYSIhkjbHy8sKZitAQHKYwL+Mj/4G5JW5F+v6w3+PqIIacC1BBNfnHqR
rO5ra8bFAeGwz7vmIcmyQAxU/3PW/jjsLv0lo5f0j4eiQ/iDBYUjVUKKWfjDMzSi
qIj1HNiHOq1eZ+M1rqvchwVRFTZazXsi
=YUmd
-----END PGP SIGNATURE-----