On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray <ma...@extendedsubset.com> wrote:
> > Still it might be worth pointing that if Wells Fargo really wanted to > forbid a Trustwave network-level MitM, SSL/TLS provides the capability to > enforce that policy at the protocol level. They could configure their web > app to require a client cert (either installed in the browser or from a > smart card). > > Maybe though you meant this specific type of "non-malicious" MiTM and the problem is we don't have a name for that right now. If you meant all MiTM though, your solution only only stops attackers who wants to make it look like you're interacting with the real site, not one who merely wishes to steal your data. In that case they don't have to talk to the real wells-fargo website :) This is exactly why some people are pushing so hard for protocols that get "exclusion" including things like CA-Pinning in Chrome, CAA, etc... - Andy
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography