It seemed like the article couldn't decide if its audience was garden-variety users who don't know what 'root', 'owning', 'trojan', or 'virus' mean and just know they're all bad somehow, or people who could figure out how ARP works well enough to understand how ARP spoofing works well enough to understand MITM attacks. Also, the assertion that MITM's render SSL "completly useless" is somewhat misleading. True the 'ssl' icon doesn't mean anything, but that doesn't mean ssl is useless.
I think that's the kind of confusion that actually making it harder to explain why people should question what they see on their computer screen, whether or not they should care if they change passwords on a regular basis, and not use the same password in more than one place.
Confusion will make it harder for people to remember why they should use good passwords, and change them often. The cost of confusion is much higher than the time and energy spent in dispelling it.
If you do want to get into MITMs, then it seems to me your audience is people who actively maintain the nuts and bolts of an actual local area network. For the garden-variety users, just let it be enough to say that not every establishment, be it a corner bank or google headquarters, is perfectly immune in its own place, and that should be enough to raise awareness for them without causing confusion.
If your audience is mom and pop at home on their first excursion on the Internet, then explain what to pay attention to and why, without trying to explain what ARPs are for. They'll never see one, and just be confused by it. What they do see are web pages, login pages, and emails saying 'Hey! You need to change you paypal password over here at giveusyourpassword.com right now!'.
Or at least, given the range of topics to be covered, you might offer advice to people as to what level of expertise might find which topic helpful. Still, I liked the article, and look forward to more.
This is a good introductory article. With more to follow, I plan to check back for the updates. It just shows that there is a very large amount of risk that comes with the convenience of using the internet for our daily needs.
What kinds of changes can they make that will put a fix on this? Is it possible for the online store or bank to require you to access their site from a specific IP address? Instead of just requiring a Login, Password, and PIN, they should also relate the person's physical location to their account. If you want to access your account from a new IP address, you have to register that address (it is similar with most credit cards or banks when you want to ship an item--some do not allow you to ship to an address that is not registered with your bank).
Would this be a viable solution to most of these problems?
As far as the DNS poisoning, that is a pickle--no doubt.
SSL does improve security between two network points, but here is the catch; one of those points could be a computer controlled by a MITM. Another vulnerability with SSL is pharming, which redirects you somewhere that you don't expect. So you could connect to the false site and get their SSL icon in your browser; you feel protected, but are still at risk.
That'll only work for sites not using a signed certificate to authenticate the site to the user - Users accepting warnings when entering SSL encrypted sites are asking for it.... You cant do anything to protect stupid users from themselves....
my intention with these articles is to bring an opportunity for people who are not necessarily technically minded to understand the 'how' in online fraud as against the more usual 'why'.
The referral to SSL is spawned from the amount of sites that fly that flag and exhault it as the solution of online authentication and security.
Just because someone does not know how to handle a warning abount an SSL Certificate does not mean they are stupid users. A close personal friend of mine can just about use email, and check his bank account online. He understands little of SSl, but runs one of the largest property companies in the UK.
Is he stupid? No, in fact he is a very shrewd guy who has long since left his first billion dollar marker behind. He just understands little of computers.
These are the people that these first clutch of articles are aimed at.
an IP address is volatile and easily changed. One solution is to issue a certificate to a user and have them install it on their computer. In this case the server and users client machine both verify that each is who they say they are and a secure 'tunnel' is created between both.
Note that this is not very flexible if the user potentially uses a machine at work, or in the internet cafe, and another at home.........
The user would have to maintain certificates or software on each machine from which they connect. Not a great idea for portability.
Anything that depends on IP or MAC address only, will not do the job.