So newb question to break up all the drama a bit....
what is all this verification to prevent MITM stuff?
ive seen it, but what do I do with it?
thanks
It's there for your peace of mind. It's an optional step that you can use to verify the authenticity of the deposit address prior to sending funds. My guess as to the reasoning is that if a MITM attack was taking place,
the attacker would not posses certain information found in the message and therefore the generated signature from the injected address would not match.
The attacker would not possess the private key associated with that deposit address. Only someone with the private key that corresponds to that deposit address would be able to generate that signature with that message.
I'm assuming that an attacker that injects a deposit address would also possess the private key for that address.
If an attacker injects a fake deposit address, then yes, it only makes sense to that he possesses the private key to that fake address. However, when you attempt to verify a message that was signed with the private key of the real deposit address, the signature will not match up with the fake deposit address, causing validation to fail.
I think that was my point. Although I'll admit a certain ignorance when it comes to the soundness of this approach as it appears on the surface. One would think that if an attacker has the ability to inject a deposit address, then he would also have the ability to at the same time inject his own message and signature, which would then be verifiable when checked against the fake address.
The one way I can see around this is if the message contained some information that the attacker does not know, and is unable to intercept, and therefore unable to forge. This approach however, would require the user to know the content and format of the message to ensure it has all the elements and hasn't been tampered with...
I haven't had lunch. I can't think when I'm hungry.