reynt0 wrote: > I'm curious. Not counting DOS (which can always be done > by cuting your outside wires,if nothing else), isn't there > *any* way to get some things done despite competent MitM?
Yes. Dodge the MitM. > Like exchange public keys in person then go home and use > those to communicate? (Note, this is just MitM in question, > not attack on your host, etc.) Crypto aficionados like to talk about MitM as if good crypto can defend against it. To an extent it can, but _only if you assume your PC cannot be hijacked._ If the attacker knows the endpoint and is controlling your data traffic, then it is folly to assume the MitM will not or cannot attempt to jack your endpoint. If you're going to assume the MitM is going to play nice and not use the best tools in his toolbox, then while we are talking fantasies I would like it to be assumed I'm wealthy and am married to Claudia Schiffer. Dan Geer posted to this list a while ago his estimate that around 30% of all PC desktops were already hijacked. Vint Cerf's numbers are in the same neighborhood. One think tank in Australia believes the number if over 50%. The numbers are genuinely scary. And keep in mind, these are not numbers which suppose dedicated attackers who want to subvert your machine: these are numbers which represent drive-by attacks sprayed at whoever's convenient. If you're going to assume the existence of an active MitM who will deliver you trojaned binaries and will play games with SHA1 sums -- as the original poster specified -- then you have to assume you are dealing with someone who is going to attempt to jack your box. The odds are quite good that they will succeed. Once your box is jacked, the game is over and you cannot win. OpenPGP is a great standard. It's very useful. It's a good tool in the toolbox. But it is not magic fairy dust and it cannot work miracles. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
