[messaging] Google End-to-End plans on using key directories with a CT-like verification protocol

Ben Laurie ben at links.org
Fri Aug 29 10:36:09 PDT 2014

On 29 August 2014 18:17, Tao Effect <contact at taoeffect.com> wrote:
> On Aug 29, 2014, at 8:26 AM, Ben Laurie <ben at links.org> wrote:
> On 28 August 2014 20:44, Tao Effect <contact at taoeffect.com> wrote:
> So, I think I was MITM attacked. [1]
> I think I detected it.
> I pointed it out. I presented evidence.
> I am curious about this - I reviewed the tweets, and the evidence
> appears to be that the cert was changed at time A and you noticed the
> change at time A + a few weeks. I didn't see any evidence that you
> checked it between those two times...
> I had checked the website the day prior to those tweets. Cert change
> appeared a day later. That is why I was (and am still) convinced that it was
> a MITM attack.

I haven't seen evidence that you checked the website the day prior.
I'm not sure how you would provide such evidence, either, but it does
occur to me that the tool you were using would be usefully enhanced by
showing when the old cert was last seen...

> This event serves as a real-world example of the community's reaction to
> MITM attacks. It highlights extreme skepticism and apathy in spite of clear
> evidence of a MITM attack.
> Only major CA compromises that have affected giant companies (like Google)
> get press.
> This example shows that people on this list could be MITM attacked right
> now, and in the unlikely event that they detected it, it may not matter
> much. That is why I prefer systems that prevent MITM attacks from happening
> in the first place, and without any ambiguity.

I don't know how to achieve that.

More information about the Messaging mailing list