[gruez]

>someone with my browser information and name could just mitm me recording the timestamps of requests to protonmail's server and request a password reset.

If they can MITM you, why not steal the password directly, or serve malicious js to get your password?

[uponcoffee]

Because https mitigates their attack vectors as a mitm. They can't steal the password since it's not sent in plaintext, and for similar reasons can't deliver/inject malicious Javascript. They could collect timestamps though and scrape header information from http connections to other sites.

[StreamBright]

Not really. It just requires HTTPS mitm. It is harder to have a CA that can create a cert that looks like it was issued by the original website you are trying to achieve but this is standard practice in gov agencies to mitm HTTPS communication. The mitigation of these sort of attacks is called certificate pinning.

https://security.stackexchange.com/questions/29988/what-is-c...

[uponcoffee]

That's a fair point. My reply was more in the context of the root comment - and with an average attacker in mind - where they were describing eavesdropping as opposed an attack carried out by a sophisticated actor.

My point was that MITMing HTTPS and HSTS isn't really necessary to carry out an attack as described by the root comment.

You only need to be in position to eavesdrop and/or MITM http connections to scrape together the necessary information; a much lower bar.

[StreamBright]

True, I guess I was just nitpicking. :)

[gruez]

What you're describing is eavesdropping, not MITM

[akskos]

In that case I meant eavesdropping