[messaging] Google End-to-End plans on using key directories with a CT-like verification protocol

Tao Effect contact at taoeffect.com
Fri Aug 29 10:17:12 PDT 2014


On Aug 29, 2014, at 8:26 AM, Ben Laurie <ben at links.org> wrote:

> On 28 August 2014 20:44, Tao Effect <contact at taoeffect.com> wrote:
>> So, I think I was MITM attacked. [1]
>> 
>> I think I detected it.
>> 
>> I pointed it out. I presented evidence.
> 
> I am curious about this - I reviewed the tweets, and the evidence
> appears to be that the cert was changed at time A and you noticed the
> change at time A + a few weeks. I didn't see any evidence that you
> checked it between those two times...

I had checked the website the day prior to those tweets. Cert change appeared a day later. That is why I was (and am still) convinced that it was a MITM attack.

This event serves as a real-world example of the community's reaction to MITM attacks. It highlights extreme skepticism and apathy in spite of clear evidence of a MITM attack.

Only major CA compromises that have affected giant companies (like Google) get press.

This example shows that people on this list could be MITM attacked right now, and in the unlikely event that they detected it, it may not matter much. That is why I prefer systems that prevent MITM attacks from happening in the first place, and without any ambiguity.

Cheers,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140829/9d40c0ef/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140829/9d40c0ef/attachment.sig>


More information about the Messaging mailing list