wparad
commented
1 month ago No, I actually pointed out this same problem in a different way, in this issue:https://github.com/WICG/dbsc/issues/46#issuecomment-2058665316. DBSC fails to protect any session that can be started or restarted by a malicious attacker.
RogerAGrimes
I'll define an adversary-in-the-middle (AitM) attack as: Attacker (Eve) sends phishing email to potential victim (Alice), containing branding that appears to relate to legitimate site/service (Bob) that victim uses. Phishing email contains a rogue link that points the victim (Alice) to a rogue AitM site/service (Eve) that then connects/proxies victim's browser session to legitimate site/service, Bob, (that uses DBSC). So, victim (Alice) is connected to eavesdropping site (E), which then connects to desired legitimate site (Bob). Eve can see everything sent between Alice and Bob.
It seems to me that even with DBSC enabled, Bob could be tricked into establishing a DBSC with Eve, and wouldn't know it is isn't Alice.
I haven't seen anything that leads me to believe that DBSC can stop AitM attacks, but I'm confirming. I could be wrong.
Is there something in DBSC to prevent AitM attacks?