undefined | Better HN

0 pointsdanparsonson1y ago0 comments

The point is that you don't need to be 'in the middle' to evesdrop unencrypted data - you can sniff traffic without either end being any the wiser, but if the data is TLS encrypted then you can only decrypt it if you interpose yourself.

0 comments

Brian_K_White1y ago

I said that already. What are you trying to contest or expand?

One of us has not understood the others purpose, because I don't understand the point of your response to my first comment. Nothing is making sense after that.

My initial point was to show that mere evesdropping on an encrypted link is still mitm, and so the full interposition is merely an implimentation detail, required by the encryption.

If mere evesdropping is still mitm, then as far as I'm concerned any other evesdropping is also mitm.

But then I also add that a keylogger is an evesdropper and I wouldn't call that mitm so maybe the argument is missing something.

Maybe the way I should think of it is "Yeah. It's an implimentation detail. An implimentation detail called man in the middle. Evesdropping on an encrypted link requires mitm, but not all evesdropping is mitm the way all beef is meat but not all meat is beef."

IE the fact that you chose not to do anything with the mitm but merely evesdrop isn't really significant the way I argued at first. That particular example of "mere evesdropping" is still called mitm not because "therefor evesdropping is a form of mitm", but because that instance of evesdropping required mitm to do it.

Allll that said, I now actually think all those other examples of evesdropping like even a keylogger should be considered mitm. Because they are all examples of you're not talking to who you thought you were talking to. In the case of a passive observer like a wifi or keylogger or phone tap, you thought you were talking to a certain listener, but in fact you were talking to them plus other listeners.

It's perfectly logically arguable both ways.

danparsonsonOP1y ago

> I don't understand the point of your response to my first comment. Nothing is making sense after that.

You're right, my initial comment wasn't detailed enough to make the point I was trying to make. Let me try again; and just to be certain we're all on the same page, and not to patronise you - MITM here stands for 'Man In The Middle'.

Per your original comment:

> You have to mitm in order to evesdrop on an encrypted channel.

This is correct. The reason for this is important - the evesdropper has to decrypt the traffic, and the only way they can do that (assuming TLS or equivalent) is to get involved in the initial key exchange. If Alice and Bob are trying to communicate, and Eve wants to listen in, Eve has to spoof both Alice- and Bob's connections so that they (unwittingly) each negotiate an encrypted connection with Eve, instead of with each other. Then, Eve is 'in the middle' of the connection - all traffic explicitly travels through an endpoint controlled by Eve. The communication looks like Alice <-> Eve <-> Bob. Alice and Bob think they are communicating with each other, and as you point out, indirectly they are, but there is a Man (or Woman) In The Middle of the channel - Eve. Eve can do whatever she likes with the data - just store it, or modify it in some way. No matter what Eve chooses to do, the topology of the attack is, by definition, a MITM attack.

> If you do nothing but evesdrop, isn't it still mitm?

It depends on the topology of the connection. In the scenario above, then yes. However if Eve is just sniffing unencrypted wifi packets then no, because, again by definition, there is no third party in the middle of the communication channel. Wifi traffic is broadcast and therefore can be logged by anyone nearby without affecting the connection - just as you and I can both listen to the same radio station using different handsets (that's why busy wifi networks suffer congestion and have to use all kinds of tricks to deal with that - if every device is talking at once then the router can't easily pick them apart; they have to find ways to take turns).

In this situation it's more like Alice and Bob shouting at each other across a room, while Eve hides behind a curtain and listens in. Eve doesn't have to do anything to make this happen, apart from showing up - she is not involved in the communication channel in any way.

> If mere evesdropping is still mitm, then as far as I'm concerned any other evesdropping is also mitm.

Hopefully this is clearer now, but no, that's not true. The mechanism by which the evesdropping occurs defines whether or not the attack is a MITM attack. As an aside:

> Then again, I guess a keylogger is evesdropping and not called mitm.

Yes, a keylogger works as a kind of MITM - all communication between the keyboard and the applications travels through a third party of sorts.

Hopefully that's more useful?

j / k navigate · click thread line to collapse