[cryptography] yet another certificate MITM attack

Harald Hanche-Olsen hanche at math.ntnu.no
Mon Jan 14 07:39:08 EST 2013


So let me play devil's advocate for a moment: You could say that the
browser has two components: One in the phone and one in a server
somewhere. The two components communicate over a channel provided by
good old https. The phone component sends the request to the server
component, which in turn forwards it to the remote server and then
transforms the response into a more compact form before sending it
back to the phone component. Thus no MITM, just a clever bit of
distributed computing.

The notion of the user as one end point of the protected channel is
illusory anyway; in reality, it the browser that is the end point.
What human being does SSL in his head anyhow? The only unusual thing
about this setup is that the browser is a bit here, a bit there. And
(now slipping out of my devil's advocate role) there is undoubtedly
more possibilities for exposure of sensitive data, as this data exists
unencrypted in an unexpected place.

- Harald



More information about the cryptography mailing list