| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by dragontamer 2889 days ago

Okay, I get what you're saying then. Your example isn't exactly the best example... but I "get" what you're trying to say at least.

You're saying that someone can inject a "redirect header" into a fake webpage, force that upon my users through the control of a network (WiFi router or whatnot), and use my domain name and my trust to take advantage of the users.

(Your example with the Zeus malware is bad because Zeus attacked the OS directly, so it wasn't a network attack. But hypothetically, lets say it was a network attack so that it remains applicable to my example)

Alas, HTTPS does NOT solve that, at least not while globally trusted HTTPS certificate roots remain insecure. They only need to get one HTTPS certificate signed by Comodo (or some other low-security HTTPS vendor) to attack my domain name in a manner like that.

1 comments

supertrope 2889 days ago

That scam is mostly used through ad network vector not MITM. Btw it only references Zeus, it's not Zeus. A more subtle example is cryptocurrency miner scripts that result in your static page pegging a CPU core.

HTTPS raises the bar. There's no happily ever after in security. Maybe in five years domain hijacking and cert abuse will be as common as aforementioned fake tech support scams that prevent users from closing the tab. Some of them even set full-screen on desktop browsers and vibrate your phone (grr).

dragontamer 2889 days ago

Oh, a fake Zeus scam. That makes more sense then.

> That scam is mostly used through ad network vector not MITM.

Just one more reason why I'm not going to use ads to fund any web-projects I do.

-------

I agree that HTTPS raises the bar and makes it more difficult for certain scams. Indeed, I'd go as far as to say that any webpage with user-inputtable data (ie: username, passwords, etc. etc.) is required to be HTTPS. The risks are too great and that's the minimum security users expect these days.

But I'm still of the opinion that Web 1.0 style static-sites can be served with HTTP just fine. If there's no usernames, no interativity, and PURELY hosting static content in a community that's relatively lax (again: Minecraft and Eve Online fail. I'd use HTTPS even for a static site if I were doing Minecraft or Eve Online stuff), then I'd think HTTP is just fine.