On Fri, 2010-05-07 at 16:40 -0400, Aryeh Gregor wrote: > On Fri, May 7, 2010 at 4:21 PM, Tab Atkins Jr. <jackalm...@gmail.com> wrote: > > On Fri, May 7, 2010 at 10:06 AM, Juuso Hukkanen <juuso_ht...@tele3d.net> > > wrote: > >> 1) Man-in-the-middle problem; which doesn't exists because > >> a) those are just academic mind games > > > > You don't get to talk about security anymore. > > I don't think "academic" is an *entirely* unfair characterization of > MITM on the web, actually. MITM is hard enough to pull off on the > open web that unless you're a bank or PayPal or something, it's > unlikely anyone would bother. In practice, most web developers don't > have to worry about MITM. By contrast, something like XSS or SQL > injection is often so easy to exploit when it exists that any site is > at risk, from botnet operators targeting their outdated software or > from script kiddies feeling bored or spiteful. > > In fact, do you know of *any* examples of MITM attacks being > successfully used against a public website? It's not that I doubt > that it's happened, but I don't actually know of any specific cases. > In principle, you should be able to harvest lots of passwords by > dropping some free wireless routers in strategic locations. > > (There's still an entirely different fatal problem with what you > quoted, though: if you aren't worried about MITM, then encryption is > pointless to begin with. I don't dispute your conclusion. :) )
http://xkcd.com/341/ Maybe not exactly what you had in mind, but it is a man-in-the-middle in a sort of sense. Thanks, Ash http://www.ashleysheridan.co.uk
