|
|
|
|
|
|
by jerf
3875 days ago
|
|
|
The essense of "MITM" isn't the Middle but the fact that the Man is unauthorized, Eve to Alice and Bob. If Alice and Bob agree to put CloudFlare (oh, look, the C already works!) in between them, there's a Middle but there's no [unauthorized] Man. SSL's purpose isn't to create some sort of quasi-mythical "direct connection" between Alice and Bob, it's just removing the general Internet as a vector for many attacks. An utterly critical building block of the global Internet, but nothing more; certainly not a magic invocation that casts the spell of Security +1 across the entire communication, neither in fact nor in intent. It's worth taking a moment to try to explore what the idea of "direct connection" is that you have in your head, in a world where Bob is probably already a program generating HTTP with no human interaction in an arbitrarily-complicated manner, with arbitrarily-complicated combinations of SSL accelerators, WAFs, and whoknows what other network appliances, even before we consider what it means to assemble a page from JS and images from 10 different domains representing other entities, and where Alice is using a browser and arbitrary plugins, each of which she is implicitly trusting, and possibly a proxy. If you examine this closely it becomes surprisingly complicated. |
|
|
I appreciate the whole post, but this is such a wonderfully geeky turn of phrase that I have to acknowledge it!