Quote:
Originally Posted by JeremyNicoll
No matter what the app is, it has to send traffic to and from Fastmail's servers (just like the browser would do). It seems to me that that would be just as susceptible to a man-in-the-middle attack? Unless the app doesn't use DNS to look up the FM server's name and find its IP address - but it that were so it would also mean it couldn't be diverted to alternate FM servers (when eg FM have an outage on one set of servers). Or, unless the app encrypts traffic using a key that only it (and the FM servers) know - but is that possible? Couldn't bad guys reverse-engineer the app and discover the key?
|
A man-in-the-middle attack can intercept traffic based on IP address, as well as DNS queries. Any robust authentication method must assume that traffic can be intercepted and replayed. That is why it is a non trivial problem. It can pretty much only be done when there is a hardware security device on the client end that can set up session keys in a way that cannot be replicated by an attacker.