[geek_at]

It's almost unimaginable today that browser traffic used to be unencrypted and people in your network or down the line to your target could see and modify your traffic.

In 2013 I wrote an article about how to turn a Squid proxy into a code injection attack mechanism [1] (which many free proxies did at the time [2]). The most "harmless" would just replace the ads you see with their own, the worse ones used browser events to report all keystrokes or mouse positions to the attackers.

[1] https://blog.haschek.at/2013/05/why-free-proxies-are-free-js...

[2] https://blog.haschek.at/2015-analyzing-443-free-proxies/

[Espressosaurus]

Firesheep showed everyone, and I mean everyone how bad an idea it was. It was a bad idea before, but it was more invisibly bad.

It's hard to ignore when randos are screwing with you in real-time.

I'm sorry that open view of the internet ended, but it also ended far later than it should have by rights.

[didntcheck]

Yeah, it was insane how long it took for developers to start taking transport security seriously. I can understand people in the 90s or early 00s thinking "well it's not like you have an attacker on your LAN or at your ISP, right?", but Firesheep was in late 2010, properly into the era of smartphones, social networks, and free wifi, and you could just download an Android app or Firefox extension and trivially steal someone's FB account

[alsetmusic]

If you want to truly have an aneurism (wow, I can't believe I spelled that correctly on the first try! I was sure the computer would have to correct me.), read The Cuckoo's Egg, by Cliff Stoll. It might be the first book about hacking; it was published in the 80s. You might recognize the name of a well-known Unix engineer at a government agency as they try to track the hacker's origin.

Anyway, as you alluded, everything was wide open. The author ponders the amount of trust that was accepted at the time. Nothing surprising, but it still made me say, "wtf" to myself as I read it. Very low skill was needed at the time, relative to modern systems. I guess this is why social engineering is such an effective pathway today.

[HappMacDonald]

Holy cow, I never realized that Professor Glass Klein Bottles wrote hacking books 40 years ago. Noice, I should check that one out then.

[dogleash]

> Yeah, it was insane how long it took for developers to start taking transport security seriously.

It's just the way life works.

In 10 years it will be "insane" that your computer ever ran any unsigned code.

10 more years after that it will be "insane" that computers trusting a codesigning key other than the blessed ones were ever allowed to connect to anything useful over the internet.

[simiones]

Not sure if you intended it this way, but it sounds like you believe that it's not a great thing that almost all traffic on the Internet is encrypted today, or that you think it would/will be good to have all computers on the Internet running only "trusted" code.

One can believe it's crazy to run unencrypted traffic while also believing it's crazy not to allow me to run any code I want to connect to the Internet. There is no slippery slope between these two.

[dogleash]

The only thing I believe is that the hypothetical future I describe is a non-zero chance possibility. Everything else is the is/ought problem. I'm just talking about how prevailing attitudes change over time.

[purerandomness]

And yet, every time there's an article about TLS, we have the same debate here with a few people arguing that their personal websites don't need HTTPS...

[dclowd9901]

So TLS benefits people who steal WiFi?

[batch12]

Yes and also everyone else.