[Buge]

When sites don't use https, China MITMs the page, and inserts malicious javascript that enters the user's browser into a botnet that launches a DDOS attack on the github pages of human rights organizations, causing github downtime.

If you don't want your website viewers to be entered into a botnet, then use https.

https://citizenlab.org/2015/04/chinas-great-cannon/

[jamesdwilson]

as does US GOV... https://www.wired.com/2015/04/researchers-uncover-method-det...

[Buge]

Good point. Although some people might say that that isn't something they need to protect their website users against, because Quantum Insert is targeted only against very specific users such as terrorists. The Great Cannon targets all internet users indiscriminately, so website owners are more likely to sympathize with them and want to protect them.

[jamesdwilson]

LOL you didn't see the talk by Jacob Applebaum did you? They do this en masse to everyone they possibly can. https://www.youtube.com/watch?v=vILAlhwUgIU

[Buge]

That doesn't really give an example of them injecting malware into the http traffic of an innocent user.

With the Great Cannon, not only did they inject malware into the traffic of an innocent user, they injected malware into the traffic of all innocent users whose traffic went through certain Great Firewall routers.

I've used this example several times when talking to website owners who think they don't need https. My goal is to provide a specific example of how their website visitors are being attacked. With the apparently targeted attacks of Quantum Insert, the website owners could convince themselves that only terrorists are targeted, and that thus they don't need to bother protecting anyone. With the completely untargeted Great Cannon attacks, I hope to prove to them that their website visitors are actual innocent victims.