[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 20 Nov 2013, at 12:24, Martijn Grooten <dcglug@xxxxxxxxxxxxxxxxxx> wrote: > On Wed, 20 Nov 2013, Simon Waters wrote: >>> Another good reason to use HTTPS. >> >> Https will stop the average 12 year old doing this. > > Not so sure. I know a lot of HTTPS is broken, but not to the point where an > adversary controlling the cables can inject packets in real time. > > That's the whole thing: simply because traffic between Belgacom and LinkedIn and > Slashdot goes via Cornwall, GCHQ can just sit there and inject packets when it > wants to. At least that's what I understand to have happened. > > You can of course do things with forged certificates and routing traffic through > your servers, but that is a lot more difficult to do and easier to detect. Granted it is slightly harder, but if you have the influence to get certificates signed as needed, it isn't orders of magnitude harder. Still boils down to read and rewrite packets on the wire, desktop AV software already does it in old PCs. Sure it can be spotted - hands up all of you who use certificate pinning or some sort of certificate notary explicitly (Chrome does some by default I believe, and Claws mail client)? In practice where it has happened on quite broad scale it isn't always spotted quickly, especially if it is done well, e.g. the only thing difference is the inner details of the certificate, so you have to fingerprint both to spot the difference. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq