Richard Laager wrote:
I'll admit that MITM attacks are rare and sophisticated, but if you're
not guarding against them, the only take you prevent is casual snooping
on the wire. If you're only going to worry about casual snooping, you
could just as well use rot13 as your "encryption". (Granted, I'm
exaggerating a little, but why bother with something as complex and
secure as OpenPGP to prevent casual snooping.) Your points about
keyloggers, etc. are very valid.
I wish we could kill this myth that MitM is "rare and sophisticated". On
wireless networks, they are common and trivial.
On wired networks they are easy for the network admins to mount. The
practice is sufficiently commonplace that many corps have their own CA
keys in employees' browsers so they can forge X509 certs.
Keylogging is a _much_ harder attack to mount.
Cheers,
Ben.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff