[anderiv]

There are innumerable ways vulnerabilities can be exercised that do not involve having to “hack” NAT. I would not be comfortable staying so simply that NAT will protect in all situations. It’s one layer of defense, yes, but is inadequate without others like malware avoidance.

[eimrine]

> There are innumerable ways vulnerabilities can be exercised that do not involve having to “hack” NAT.

Any examples? Suppose we have a Windows computer connected to a NAT with an access to an Internets, but the computer doesn't download anything. I am not a sysadmin but from my understanding this is almost safe.

[anderiv]

A couple examples:

1) You’re browsing the web from the old machine. Your HTTPS connection gets MITM’d due to a TLS vulnerability, and the attacker is able to gain control of your email account.

2) Unbeknownst to you, another machine on the network is infected with some virus. That machine uses a CIFS vulnerability to remotely infect and root your old computer.

[eimrine]

1. I do not believe this is possible. Old device (example - any Blackberry and may be Windows XP) can not connect to any site on the Internets except of HN, maybe because websites like mail provider use to not give any content via HTTP. Any working HTTPS connection just can not be MitMed except of if you are a person of interest of somebody extremely powerful.

2. Great example.

[postalrat]

Number one the OS is still secure. Number two is doesn't involve the NAT.