|
|
|
|
|
|
by patcheudor
3730 days ago
|
|
|
One, I don't know anyone who doesn't use non-secure WiFi networks & even if they don't, they typically still do without knowing, ergo., the 'attwifi' situation. Two, I've reviewed a number of VPN solutions over the years and they are far from perfect. Amongst some of my more notable findings: 1) Banner / update text delivered via HTTP to the client in a fully renderable state within the VPN client. Yeah, that was a fairly common issue many years ago and could be used to hijack the application UX to ask the user for things like their password. 2) Split tunneling. Some VPN providers will send HTTP traffic through the VPN while sending HTTPS traffic out the hostile leg of the VPN. This is cool and all until you use an application which doesn't properly validate the server public and then boom, a bad guy can get in the middle. Over the last half decade I've reported said flaw (failure to properly validate the server public) to over three dozen financial institutions, a couple anti-virus companies, and a major automotive manufacturer. It's real, it happens. Not to mention the Superfish and related situations. Three, femtocells. Even if a bad actor can't get to someone's mobile computer (phone) via WiFi, they sure can by forcing it to negotiate a vulnerable cellular protocol and simply inject from there. |
|
|