First, thanks for engaging! I appreciate getting corrected on this.
> Not really. I did expound on this in the very comment you replied to.
I agree with your expounding. Perhaps I'm not seeing where you addressed my concern, but these statements:
1. "Man in the middle only involves encryption."
2. "The OWASP definition is correct."
seem to be at odds, given that (3.) the OWASP does not exclude attacks on unencrypted channels (per their MiTM page). One of your statements (1 or 2) must be wrong, or my understanding of the OWASP definition (3) is wrong.
I'm not sure what to make of your response to my "trust" comment (though I agree with everything you said, it seems to be in a different context from the question). We're probably speaking past each other. Let me try to tease out the disagreement.
> The gist of a MITM is that each end of the transmission trusts that the malicious actor in the middle is the target destination. When this occurs at the application layer it is almost universally centered on encryption. Keep in mind that in TCP/OSI terms the web is an application riding the internet. Without encryption how do you trust that the destination is who they claim to be?
So does your definition of "trust" here _require_ encryption? Is encryption _explicitly_ required in a MiTM attack, or is it only required for "trust" (which I agree is necessary).
How is anything online trusted? The most common way to establish trust, for anything, is through hashing. Online locations apply hashing via certificates issued by a trusted certificate authority. Those certificates can be spoofed just as a destination domain can be spoofed. The strength of security is that it takes extra work to spoof two unrelated things and that the issuing CA is trusted by other CAs and applications. On the web exposure to risk is limited by usually only applying those certificates to the key exchange of TLS. These certificates can be used for more though, like digital signatures on documents.
> Not really. I did expound on this in the very comment you replied to.
I agree with your expounding. Perhaps I'm not seeing where you addressed my concern, but these statements:
1. "Man in the middle only involves encryption."
2. "The OWASP definition is correct."
seem to be at odds, given that (3.) the OWASP does not exclude attacks on unencrypted channels (per their MiTM page). One of your statements (1 or 2) must be wrong, or my understanding of the OWASP definition (3) is wrong.
I'm not sure what to make of your response to my "trust" comment (though I agree with everything you said, it seems to be in a different context from the question). We're probably speaking past each other. Let me try to tease out the disagreement.
> The gist of a MITM is that each end of the transmission trusts that the malicious actor in the middle is the target destination. When this occurs at the application layer it is almost universally centered on encryption. Keep in mind that in TCP/OSI terms the web is an application riding the internet. Without encryption how do you trust that the destination is who they claim to be?
So does your definition of "trust" here _require_ encryption? Is encryption _explicitly_ required in a MiTM attack, or is it only required for "trust" (which I agree is necessary).