Thread: https access
View Single Post
Old 03-12-08, 06:56 AM   #6
Registered User
Join Date: Apr 2006
Posts: 73
Default Re: https access

Originally Posted by Runningman
just make your password unique from your other passwords and you shouldnt worry about these types of things but i hate to inform you but https suffers from man in the middle attacks also. so if they can "sniff" your clear texted passwords, chances are they can man in the middle you also.

please read up on this type of attack vector.
Sniffing is much easier than MTM, it is enough to sit in somewhere in the connection path and capture the traffic, while MTM must be able to capture _and_ change packets in _both_ directions, for all packets. Not to mention that, above TLS, some browser provide also other consistency check.
Of course, the ISP can do easily MTM, but almost everybody can do sniffing.

So, I do agree that https is not the solution to all security problems, but it is anyway better to have one security layer more than one less, considering also that this does not cause more effort to the user.

Of course, my password used here is unique, my concern is if someone starts to post things in these forums with my account.

Or should I consider the missing https as a "safe harbor" mechanism?
That is, I'm not liable for postings with my name here. That would be OK too... :-)


pgs is offline   Reply With Quote