On Sun, 18 Mar 2012 12:30:35 +1100 ianG wrote: > We could decide it is > not a worry and accept it (SSH).
OpenSSH, A highly successful program with far less exploits. > Or we could decide that it is a worry > and decide to address it as our #1 threat (SSL). A potentially highly successful program that has been implemented terribly. It has the same problem too. You need a CA chain stored in the browser, like you need a correct fingerprint for ssh securely pre-shared. The difference is dependance on third parties. Personally, I think you should implement a system that caters for both personal and third party verified with personal being paramount if you have any closed source apps, even if most users use one system and some users use just the other or a mix etc. etc.. > And, there was no outbreak of MITMing until .. when? > Sometime around the late 00s devices appeared on the market that > could do cracks in real time or near real time. There's still no > outbreak or even documented occurances to my knowledge. That's completely irrelevent for more than one reason, do you cross the road blindfold because there are no documented cases of someone crossing the road blindfold and getting run over. My mate's girlfriend was stalked by her criminal boyfriend who kept knowing what she was doing. My fairly computer illiterate friend dug out a document demonstrating how to snoop and inject messages and also clone sims etc.. > What did the GSM consortium decide to do? In 1997? > Accept the risk. Ignore the risk like the banks are currently ignoring the risk to cash machines due to COST without any increase or sustaining of profit, like 3G/LTE brings. > Right decision - if you know what their threat model was: papparazzi and > minute thieves. I had no idea and am now extremely angry, it was obviously flawed and they should have done a better job of 3G in that light. Do you have a link at all. I'm sure the phone hacking scandal investigators would love this considering the damage simple voicemail has caused. p.s. It's interesting how consortiums can decide mobiles don't cause cancer, you find they are conducted by phone companies a month or two after an independent researcher claims evidence that they do. And also Apple being in the consortium that suddenly decides ogg shouldn't be defined as the web standard for video. A phrase springs to mind "In consort with each other" except the web standard had Google vs Apple equals no decision. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
