Hacker News new | ask | show | jobs
by founderling 2379 days ago 

    If the message is altered then the most pain
    anyone will have is connecting somewhere else
    for the first time
If the page is altered so it loads 3rd party tracking code, then the pain is to be tracked.

If the page is altered so it opens a "Please enter your ebay login" phishing site in the background, a user might switch tabs, think "Oh, I logged out of ebay somehow" and enter their password into the attackers site. Exposing them to the pain of ecommerce fraud.

If the page is altered to use a 0-day exploit, the pain is to have a zombie machine afterwards.

Etc etc ...
1 comments
dijit 2379 days ago
If you can inject such content (as in an arp poisoning or other man in the middle scenario) why wouldn’t you go after the dns requests?
link
Liquid_Fire 2379 days ago
HTTPS will protect you against hijacked DNS requests as well.
link
dijit 2379 days ago
Not by itself, if you have special HTTP headers it will. But some of those are deprecated (HPKP; for example)[0]

[0]: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browse...

link
Liquid_Fire 2379 days ago
If you hijack the DNS request and respond with the IP of a different server, that server will not have a valid certificate for the domain in question. Why are any extra features required?
link