Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
ITT: People who don't know how MITM attacks work.
Before browsers verified certs, it was possible to do this very simply by ARP poisoning, i.e browser thinks it is making a https connection to a server, while actually it is making it with the attacker, the attacker then decrypts your message, and negotiates a https connection with the server. Browser thinks it is securely connected to the server, but in actuality there's a machine in the middle decrypting and recrypting each message reading the contents. -
@Mr-Myrk you're right, it is possible to circumvent TLS with a MITM attack (as long as nobody verifies certs). And if you do that you can read the data exchanged between the participants. But that does not mean that end-to-end encryption is broken. If I encrypt my stuff on the application layer, an attacker who broke TLS would not be able to read anything in the stream, since the data is still encrypted by the application.
Additionally, end-to-end encryption means that data is stored encrypted, while TLS only encrypts data in transit. For the above example of mail servers end-to-end encryption means encrypting all mails using PGP for example.
Of course, MITM attacks are still possible on end-to-end encryption. But it's harder than ARP poisoning.
Related Rants
Did you say security?
10 points for next century option.
Novice computer enthusiasts argue that an application is safe because it's end-to-end encrypted.. but they don't realize this doesn't guarantee safety because of MITM attacks on possibly exploitable midpoints.
A good example of this is mail servers using TLS 1.2 but one or two of them not verifying certificate autorities.
rant
security
end to end