
The Web Authentication Arms Race – A Tale of Two Security Experts - Permit
http://blog.slaks.net/2015-10-13/web-authentication-arms-race-a-tale-of-two-security-experts/
======
moreati
I'm a fan of this dialogue style. Particularly for showing the
history/motivations/context of a design or situation. Kerberos is what first
introduced me to it
[http://web.mit.edu/kerberos/dialogue.html](http://web.mit.edu/kerberos/dialogue.html)

------
zaroth
Thought this was going to be about password cracking, but instead turned out
to be an interesting take on MITM vectors which bypass the password and
piggyback on an existing session.

I would think that anyone with that level of access to compromise the channel
would likely be able to just compromise the server itself?

~~~
GauntletWizard
Not so. The NSA smiley [1] showed that the smartest of attackers (or maybe the
chinese are, but that's besides the point) are still (or were still, as of ~5
years ago) relying on passive MITM. It's far easier to exploit a passive
vulnerability for a long time - Active exploits leave traces, give clues as to
who you are. Passive exploits often leave the user without any idea that they
are being snooped.

[1]
[https://www.google.com/search?q=nsa+smiley&es_sm=122&tbm=isc...](https://www.google.com/search?q=nsa+smiley&es_sm=122&tbm=isch&imgil=VuJ8ZFTEmP3nvM%253A%253B4Fg1sd5R8Hj6wM%253Bhttp%25253A%25252F%25252Fwww.newyorker.com%25252Fnews%25252Famy-
davidson%25252Ftech-companies-slap-back-at-the-n-s-a-s-smiley-
face&source=iu&pf=m&fir=VuJ8ZFTEmP3nvM%253A%252C4Fg1sd5R8Hj6wM%252C_&biw=1920&bih=1115&usg=__QePJRyzqVcukmkqgDaKspXJPw_Q%3D&ved=0CCcQyjdqFQoTCL-x8oa5wcgCFYkqiAodX1QFjg&ei=EQUeVv_kN4nVoATfqJXwCA#imgrc=VuJ8ZFTEmP3nvM%3A&usg=__QePJRyzqVcukmkqgDaKspXJPw_Q%3D)

~~~
dgoldstein0
... because if a passive attack works and is easier to launch, why bother with
an active attack?

------
vortico
> I will find or compromise a shady certificate authority and get my own
> certificate for your domain name

Woah there, I don't think this is a realistic expectation of an attacker.

However, the author is right in that it is much easier to attack the
endpoints. Users install every piece of software on the planet, and the
Firefox/Chrome user storage directory is in clear access for all programs.
There are also many remote code execution vulnerabilities in the wild that
could be used to query a database server or steal keys.

~~~
dgoldstein0
I thought the same. I think at this point we've graduated from "there's
already a metasploit / other open source code for it" to "it's probably
possible, if you are fairly determined but not necessarily the NSA". There's
probably a few CAs with lax security procedures, just given how many there
are... but hacking one is a much bigger endeavor than SSL stripping.

------
jakeogh
Attacker: I will buy the company that owns servers you are connecting to.

------
balajics
[offtopic] How many of you noticed that hovering on the left color band shows
post list? clever UI/ bad design :/

------
arikrak
MITM attack = Man-in-the-middle attack [https://en.wikipedia.org/wiki/Man-in-
the-middle_attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)

