Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I work in enterprise information security, and my team agreed upon hearing this news that if this was used on our email system, we would consider it a MITM attack. Whether or not the end user opted in, the corporation did not.

So, in the context of use in environments where your email address is not fully owned by you, attack would be a valid word. Otherwise, I agree that it's a MITM but not an attack.



I appreciate the data point, but I must admit that sounds very unreasonable, unless you're considering the employer as the attacker. Would the same apply if an employee were using a VPN at work?


We do block VPN on our corporate network, yes. A VPN is a tunnel that hides user activity from our monitoring and DLP tools and use of VPN from our network to the outside is against policy. Likewise, sharing your credentials with a third party is against policy.

The attacker is LinkedIn. The employee is the attack vector. LinkedIn is engaging in a phishing attack.


You didn't explicitly answer whether you consider VPN usage to be a man in the middle attack. I understand banning it (as well as this LinkedIn feature) on a corporate network, but not considering either a man in the middle attack.


VPN is a tunnel, not a MITM. It's used to bypass our monitoring and filtering. You're tunneling out of our network into someone else's, which may have more favorable rules.

This is a MITM, because LinkedIn is intercepting and modifying the traffic between the email server and the client machine, traffic which is supposed to only be read by the recipient. A VPN isn't intercepting traffic, it's used to tunnel traffic. LinkedIn is positioning themselves directly between the traffic source and the destination to read and modify the transmission.


Is your corporation going to fire the users who use this? If not, why not? They are aiding and abetting an outside attacker.


No, in the same way we don't fire people for getting viruses on their computer. Without a reason to believe the action was intentionally designed to cause harm to the business, like cstrat said, education is the best way to handle it. It would be hard to prove malicious intent in a case like this. LinkedIn would be attacking us, the user would just be an attack vector. It's akin to getting phished.


I agree, and I think the major email providers should block it. Maybe Google can just cut off their API access and stop using LinkedIn for recruiting. That ought to get their attention.


Given that a lot of users are technically unaware of what they are doing, it would be akin to firing someone for falling for one of those pop ups that offers to do a free virus scan. If you are a pharmaceutical sales rep and you read that LI blog post, you probably think it is perfectly safe...

I would think the responsibility falls back onto IT to educate users - and to block connections from LI to the mail server.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: