Ian G wrote, On 2008-10-18 12:32: > This is the pathological problem with MITM protection that has > existed from day 1 of SSL: it was a solution in advance of a > problem. Given that the solution was theoretical, and the problem > had no practical existence (until recently), the solution could > never be trialled against a real attacker. Add in some complexity, > hello brittleness, meet shatter!
Be careful not to confuse and conflict the MITM detection properties of SSL with the MITM resistance properties of the browser UI. As we see in this case, SSL did not fail to detect a single one of the attacks, but the browser UI allowed the value of that detection to be lost. Failure of browser UI is not a bad reflection on SSL, except to the extent that people who write about this confuse the two. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto