Phil Pennock wrote:
> On 2009-03-03 at 00:00 -0800, Michael G Schwern wrote:
>> Phil Pennock wrote:
>>> On 2009-03-02 at 18:36 -0800, Michael G Schwern wrote:
>>>> Tony Finch wrote:
>>>>> On Mon, 2 Mar 2009, Francisco Olarte Sanz wrote:
>>>>>> I think the point made by the original poster is valid, if you use a
>>>>>> encrypted unauthenticated connection you cannot just be sniffed, you
>>>>>> need to be subject to a MITM or similar attack.
>>>>> That's so difficult!
>>>> Yes, MITM is difficult.
>>> Bull. Go ahead and install dsniff, read the man-pages for the utilites
>>> that software provides.
>>>
>>> You're spewing forth crap and are too ignorant to realise it.
>
>> The sorts of things dsniff can do is easily defeated by an "am I talking to
>> the same ident as last time" system like ssh uses.
>
> Please stop straw-manning the argument. "Same ident as last time" is
> not unauthenticated.
When I say "encryption tangled with identification" I mean SSL style. Not
just ssh style "you're the guy I talked to last time" which is cheap, but
"you're Joe Bank, owner of joebank.com" which is expensive. Recall that this
started out as a rant against the SSL cert trust process.
I don't know why you'd eliminate the "you're the guy I talked to last time"
part. Its easy, its cheap, it solves 80% of the problem. If you thought I
was advocating eliminating that, no wonder you thought I'm an ignorant idiot.
Now I trust the thread makes a lot more sense?
--
Being faith-based doesn't trump reality.
-- Bruce Sterling
