Hacker News new | ask | show | jobs
by mike-cardwell 3702 days ago
If you visit any non-https site, then you leave a vector wide open for a MITM to perform numerous types of attacks. Not just against the unencrypted site you're visiting. They can launch phishing attacks or CSRF attacks or inject malware.

If every site were https, then that would provide a huge boost to peoples privacy and security.
1 comments
formula_ninguna 3701 days ago
>If you visit any non-https site, then you leave a vector wide open for a MITM to perform numerous types of attacks.

how?

link
mike-cardwell 3701 days ago
I gave 3 examples. Phishing, malware injection and CSRF. If you want to know how these sorts of attacks work, there isn't enough space in a HN comment so go use a search engine.
link
inglor 3701 days ago
Phishing and malware injection are obvious - but how would that give you (any more) leverage to perform CSRF? (since well, the backend validates the token).

XSS for sure (which is probably what you meant by malware injection) and that sort of can enable CSRF if the vulnerability was already there - but I don't think it can cause it.

link
mike-cardwell 3698 days ago
CSRF is "cross site request forgery". It is an attack. What you are talking about when you start mentioning tokens, is presumably the various methods of mitigation that a number of websites use to defend against that particular attack.

A MITM can initiate a CSRF attack, because they can add arbitrary code to the page. Whether or not the target site has protection, and whether or not the attack is successfull, does not change the fact that a MITM can launch one. Sites still need to protect against CSRF because there are other methods of launching them, but nontheless, if all sites were HTTPS and HTTP didn't exist, then that would defend you against a MITM on an untrusted network launching one.

I didn't mean XSS when I said malware injection. I didn't mention XSS and I didn't intend to.

link
codetaku 3701 days ago
If you can select a handful of sensitive-information websites that use https but not frame-busting to make invisible iframes to and then just check which ones are already authenticated, you can do any number of things. Because any MITM attacker basically controls your browser. (I imagine some browsers have built-in defenses for this at this point--I haven't looked into this attack in a while. But defenses definitely aren't guaranteed by HTTPS)
link
liveoneggs 3701 days ago
it's fairly common for an ISP to inject popups into web traffic (or redirect your dns)
link
formula_ninguna 3701 days ago
by the way, is it legal? how do they explain that?
link
mike-cardwell 3698 days ago
In which country, in which jurisdiction, according to which lawyer?
link