Re: 2 questions

["Adrien de Croy" <adrien@qbik.com>]

It's great people are doing work in that area and thanks for posting 
that link.

However I don't know it the conclusion can follow that it's completely 
bogus to consider the impact of MitM at all and if not now then for all 
time (I know this wasn't your exact claim).  Even the study remarked 
they got double the result of a previous study.  That could be down to 
better testing, and/or growth in use of MitM in the intervening time 
period.

Without the source to their flash app, it's hard to tell whether there 
were any issues with the validity of the testing.  Also it's hard to 
know from a google adwords campaign whether you are getting skewed 
results for instance where there are proxies configured on a whitelist 
basis (there are many of these) that prevent access to the test site.  
So I believe the number reported will be on the low side.  How much 
lower than real is for anyone to guess.  As to where to draw the line 
where we consider something to be insignificant or not, is 1% 
insignificant?  2%?

I know the use of MitM is growing (at least in our customer-base).  Sure 
some may be abandoning it, but I'm not really seeing any evidence of 
that.  So maybe in a couple years it could be much higher than 0.41%, 
and for corporate users I'm certain it is much higher.  I don't see the 
same incentives for ISPs to deploy MitM and there are bigger issues like 
convincing people to install root certs, which corporate environments 
don't suffer the same from.

So whilst very interesting, I don't know if we can really draw too much 
from this study alone.  It would be very interesting to see the results 
redone at say yearly intervals.

Adrien


------ Original Message ------
From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
To: "Adrien de Croy" <adrien@qbik.com>; "Xiaoyin Liu" 
<xiaoyin.l@outlook.com>; "Dan Anderson" <dan-anderson@cox.net>; "Walter 
H." <walter.h@mathemainzel.info>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 31/03/2015 2:00:23 p.m.
Subject: Re: 2 questions

>
>
>On 31/03/15 01:07, Adrien de Croy wrote:
>>
>>  With MitM all bets are off
>
>Seems to me that claims of the prevalence of MitM are
>somewhat exaggerated. The last study I recall of those
>in the wild found about 0.41% of requests affected. [1]
>
>So I think any argument of the form "don't do X to try
>be more secure or private, since the prevalence of MitM
>implies X is pointless" ought be considered bogus at the
>~99.5% confidence level, at least according to [1].
>
>I also note that [1] found that those few unfortunate
>victims of the MitM attack are terribly served between UA
>and MitM as they saw a bunch of short RSA keys (with no PFS)
>used. And one would expect that to be the case as a supposedly
>"benevolent" MitM will generally decide to prefer crap
>security so that their always-negative performance impact
>is minimised. (Seeing commensurate security on both sides
>of the MitM might even be considered as indicative that
>the MitM is more likely malicious and not benevolent? I've
>not seen that measurement so far as I recall, so I'm just
>speculating there.)
>
>Are there better studies out there with better figures?
>
>If not and 0.41% of crappy security that you get with real
>deployments of MitM's is the norm, then we ought be more than
>ignoring the MitM deployments - we all (and browsers!) should
>be yelling loudly about 'em as we trip over their victims.
>
>Cheers,
>S.
>
>[1] http://arxiv.org/abs/1407.7146
>