Hacker News new | ask | show | jobs
by ndsipa_pomu 579 days ago
As with any http website, a malicious actor (e.g. someone in a coffee shop or an airport) could set up a plausible looking wifi service and then MITM the website and insert adverts or malware into the page.

However, that has been discussed on many other topics that are directly to do with TLS/certificates etc. so I don't think it's worth bringing up (aimed at the OP) every time there's an HTTP linked.
2 comments
lxgr 579 days ago
With HTTPS, the site author could still do all of that, no? So I’m not convinced this is really that big of a concern on an unknown website that I’m not entering any credentials or personal information on.
link
ndsipa_pomu 579 days ago
That's more of an issue with trusting any website, whereas TLS mitigates the risk of trusting a wifi provider or ISP. I also don't think it's much of a concern for old, infrequently used sites, but I wouldn't trust the competence of a modern website that didn't have a current SSL cert.
link
dingnuts 579 days ago
the SITE can do that when HTTPS is used, yes, but an unauthorized third party can inject stuff much more easily when it's plain HTTP. A little ARP poisoning and some mitmproxy and before you know it you're injecting malware or whatever

Whether or not that matters when viewing this particular site is up for debate

link
lxgr 579 days ago
Yes – into the sandbox of this particular site (and limited to non-HTTPS-mandatory browser APIs at that).

If that's a big threat vector, I feel like the much bigger risk would be visiting malicious sites, not a local or ISP located attacker injecting stuff into benevolent-but-HTTP-only ones.

link
ndsipa_pomu 579 days ago
> limited to non-HTTPS-mandatory browser APIs at that

Another trick that could easily be pulled by a malicious ISP/wifi provider is to insert a redirect into the HTTP page to go to an HTTPS site controlled by the attacker (presumably with some semi-related name so as to not seem suspicious to the user) and to then bypass non-HTTPS restrictions in the browser.

link
batch12 579 days ago
> I don't think it's worth bringing up (aimed at the OP) every time there's an HTTP linked.

Maybe rewritten it could be viewed as a warning for those who care instead of a criticism.

link
ndsipa_pomu 579 days ago
I'd rather just have the browser warn me
link