[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Lucas Gonze
lgonze at panix.com
Fri Sep 30 21:41:55 UTC 2005
Laurian Gridinoc wrote:
>The issue is how does the client know that the login page with the
>above javascript was not modified by the MITM?
>
>
Or that the server ever really existed except as an attack vector, or
any number of other problems with bootstrapping secure systems. The
important thing is that the attacker has to perform their MITM attack on
the bootstrap rather than any later stage. This gives the disadvantage
to the attacker because:
- it can't know in advance who it will want to attack later, giving it a
large and diffuse set of targets.
- the defenders have a small and focused point of vulnerability.
For the purpose of friendnets, the advantage is overwhelmingly on the
defenders' side.
More information about the P2p-hackers
mailing list