Comments: MITM watch - sitting in an English pub, get MITM'd

^ Like.

Your example makes me think that the proper response for an ideal browser encountering an authentication failure would be:

Server not found.

It's a bit austere I know, but essentially the browser is simply telling you that it is unable to connect with the authentic server you are seeking. Where you go from there is up to you, but "clicking through" is not an option.

Posted by Patrick Chkoreff at December 4, 2014 11:54 AM

So true...

I saw MITM on the public wifi at a U.S. federal agency. I won't say which one, but they are responsible for regulating things like... the internet. I pointed out the problem to their IT team and after an initial bout of confusion, they fixed the problem and claimed some vendor had set that up for them. Despite a full time security team of over a dozen people, nobody noticed the MITM except me (a part time contractor who only pops in periodically).

Whenever I see a non-technical user presented with a certificate error, they always click right through. I have a friend who's an MBA and is fairly security savvy (uses a password manager) and he reflexively clicked through a certificate error while _at a hotel in a foreign country_! (The badness of iOS certificate warnings borders on negligence.) It's just pure muscle memory. Average people have no idea what those certificates are supposed to be doing.

Posted by Mark at December 4, 2014 04:40 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x557a7bdabf60) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.