Hacker News new | ask | show | jobs
by enzanki_ars 1707 days ago
ISP MITM is not low risk, and has been already done by Comcast at the very least in the US to inject warnings about bandwidth caps [0]. And with the horrible security of home routers, ISP provided or not, MITM attacks are highly likely on home connections sourced from botnets and malware attacks on routers.

[0]: https://rietta.com/blog/comcast-insecure-injection/
1 comments
forgotmypw17 1707 days ago
If you had to choose between "ISP may inject a notice" and "no access to critical information at all", which would you go for?
link
enzanki_ars 1707 days ago
In terms of the topic in this thread, it's not the customers responsibility to deal with expired root certificates. That said, I understand that there is a large issue with devices that drop support way too soon, even though the hardware is good. But the solution is not the weaken the security, but instead to force better standards for how hardware is maintained, and ensuring that there is a long lifetime where either the manufacture supports the device, or the device is completely unlocked and allowed for easy community sourced modifications and updates. That sort of critical information should be secure, because taking an example from elsewhere in this thread, I'd rather be confident I was reading the exact page as intended from the government source regarding how to apply for unemployment benefits and not have to worry that malware in the router is modifying the information on the page to steal information and use it to redirect those unemployment benefits.

And this theoretical attack on home routers is not out of the question at all. How many unmaintained unpatched IoT devices have been abused with malware/botnets. The clock is ticking on mass exploitation of home routers being attacked and it's firmware replaced with one injecting/stealing information from insecure webpages. If the devices can't be updated, we should make sure there are _safe_ alternatives to accessing the information, rather than hoping that no actor is doing things they should not.

I can list so many scenarios with critical information and attacks that could be made if the webpage was not HTTPS with proper certificates. Including school districts in the United States being force to block inappropriate content in order to receive federal funding, and those firewalls abusing non-http content to decide what to block, and school districts abusing that capability to block anything and everything they want. How about a student trying to understand more about LGBTQ+ individuals and the school district inspecting and censoring the exact content inside the pages to remove words like "lesbian" or "gay" because the school considers them "questionable." Or a school blocking articles pertaining to hacking. I have seen that exact last scenario in fact, where certain articles posted here were blocked in my highschool years ago because they were considered hacking and that was apparently not appropriate to view in school. These are real scenarios and not hypotheticals.

For more info on some other various types of fun attacks, see https://www.troyhunt.com/heres-why-your-static-website-needs...

link
forgotmypw17 1707 days ago
> That said, I understand that there is a large issue with devices that drop support way too soon, even though the hardware is good. But the solution is not the weaken the security, but instead to force better standards for how hardware is maintained, and ensuring that there is a long lifetime where either the manufacture supports the device, or the device is completely unlocked and allowed for easy community sourced modifications and updates.

Yes, that would be nice.

Unfortunately, I have exactly ZERO control over this, and it won't happen for years or decades to come, if at all. And almost certainly not for existing devices.

What I DO have control over is supporting all those devices today, right now, with some MITM risk in certain scenarios.

link