Ask HN: How common or plausible are TLS MITM attacks?

2 points by aphextron ↗ HN
In building a financial app, I've been thinking constantly about security. Ultimately everything comes back to TLS. If that's able to be compromised, there's almost no way I can think of to stay secure. How common or realistic is it to assume this could ever happen to my application?

10 comments

[ 3.8 ms ] story [ 29.6 ms ] thread
Assuming you aren’t certificate pinning, if someone gets access to the device unlocked for a moment, they can add their own cert to the device trust and you’re dead. This is a big deal if you’re building a kiosk type of thing but not so much if it’s a phone app.

The better approach is to assume your app will get MITMed and reduce how much damage the attacker can do.

Assuming that TLS will not be broken in transit is a common and reasonable assumption. The easiest way to break TLS is at the endpoints.

Implementation errors in your code, cert mis-issuance, errors in the underlying TLS implementation (certificate parsing and validation errors are quite common) and device compromise are all things to think about.

It might be useful to think about what is your responsibility versus the device vendor's responsibility versus the user's responsibility.

@aphextron are you aphex from ytmnd?
lol yeah wow, who is this?
epo nuts still has crush on that girl i banged 17 years ago and banns me when i try to join i got to use alt account lol
aphextron is that you alex come post at rubycalaber we havent heard from you in a while
yo aphextron is that you from ytnd? remeber us come post on the forum we miss you man searched your name and found you here, not sure why they keep deleting my message but its your long lost bro, come to ruby calaber forumnd post, im there, cANT POST number here, glad i found you!
yoyo aphextron its your brother was wondering where you been for last 4 year come talk to me email me or somethin ttheredpenn@gmail.com