On 22/1/09 13:54, Kyle Hamilton wrote:
Ian, I'd rather not spell this out, because it's a blueprint that any malicious coder could follow. Unfortunately, you seem to insist on documentation -- and refuse to accept the word of those who actually do know. So.
Please.... Are you assuming here that we are the repository of all security knowledge? Are you saying that the hackers don't know how to do these spoofing attacks? Are we happy with a security-by-obscurity approach, and it is too dangerous for people to really know what's going on? I've gotta trust you? Because I don't know what I'm talking about, I should be scared?
It's an MITM, right? Is there any more to say about implementation that changes that? The current thing we know about the MITM is that it can be done via various spoofing tricks (DNS, BGP) from wherever.
So the site's SSL communications can be MITM'd. Is that the conclusion? iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
