Aryeh Gregor wrote: > Yes, I'm aware all this is possible in theory. Even more trivially, > just set up a nice high-quality wireless hotspot and do whatever you > want with the traffic. But do you know of any time this has > *actually* *happened*? Where a malicious person has successfully > staged a MITM attack in the wild against a typical person using the > Internet, in the last decade or two? > *Yes.* Of course, I've long been involved in Internet security, so I'm privy to information that is discussed more privately by the vetted....
Moreover, there have certainly been *claims* that Wikipedia accounts have been hijacked. Folks have been adding ownership hashes to their user pages, to be able to re-establish ownership. You may be thinking about the various proofs of concept for MITM against SSL, which is certainly possible (although impractical without financing). But MITM against disclosing passwords and cleartext cookies is known. A fairly public example that comes to mind -- for a considerably less well known site than Wikipedia (but very popular in its day) -- was a MUD. An Immortal account was hijacked, and through a known software bug, privileges were escalated to God. The miscreants actually wiped the entire user account database, causing thousands to lose their accumulated belongings and status. The daily backups were inconsistent, and after several days of examining the static data for trapdoors and other problems, the site was restored with all players having to start over.... Now, think about that being Wikipedia.... Does anybody really think the software here is bug free? Defense in depth helps. Some may not think that this site is critical, or valuable, or whatever. But I joined this list back when ISP support calls were escalating because of lag. Imagine the monetary cost to the world for complete site failure or massive disruption. Those with administrator or other privileges should use the secure server. Heck, they should be prohibited from logging in by any other means. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l