Reply to post: Re: Unfortunately, there can be some good reasons for this.

TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers

Adam 1

Re: Unfortunately, there can be some good reasons for this.

Do you honestly believe that nation states are the only ones who MitM? The hardware to MitM an open WiFi access point is in the order of $100-$200, complete with YouTube instructions. Injecting coinhive.js into any HTTP delivered page is beyond simple. Runs on batteries and is small enough to be discretely hidden in your bag, some even in your pocket (depends on the range you want as to how big the antenna is). In terms of complexity, this is "interview question for a junior info sec position" complexity level. As in, not even a theoretical test but rather here is a device, do it,

And coinhive is at the lighter end of a criminal payload.

But even taking your example of browsing some online brochure which you deem to be perfectly adequate over http. When you click the buy it link, I'm sure that you would agree that it should jump to Https. The site may even put the redirect in for you, so that's nice. Unfortunately, as the page was delivered in an insecure fashion, the MitM can intercept that page and replace the form submit target. Awkward.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022