On 8 December 2013 19:25, Gregory Maxwell <gmaxwell@gmail.com> wrote:
On Sun, Dec 8, 2013 at 11:16 AM, Drak <drak@zikula.org> wrote:
> BGP redirection is a reality and can be exploited without much

You're managing to argue against SSL. Because it actually provides
basically protection against an attacker who can actively intercept
traffic to the server. Against that threat model SSL is clearly— based
on your comments— providing a false sense of security.

Let me clarify. SSL renders BGP redirection useless because the browser holds the signatures of CA's it trusts: an attacker cannot spoof a certificate because it needs to be signed by a trusted CA: that's the point of SSL, it encrypts and proves identity, the latter part is what thwarts MITM. If there was an MITM the browser screams pretty loudly about it with a big threat warning interstitial.

Regards,

Drak