mirror of
https://git.sr.ht/~seirdy/seirdy.one
synced 2024-12-24 17:52:11 +00:00
New note: unencrypted connections do mean injection
This commit is contained in:
parent
9c2bd54624
commit
7594a84e8d
1 changed files with 22 additions and 0 deletions
22
content/notes/unencrypted-connections-do-mean-injection.md
Normal file
22
content/notes/unencrypted-connections-do-mean-injection.md
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
title: "Unencrypted connections do mean injection"
|
||||
date: 2024-04-15T10:45:12-04:00
|
||||
replyURI: "https://lethallava.land/notes/9s4irgazxf"
|
||||
replyTitle: "wdym [ISPs inject content], any examples?"
|
||||
replyType: "SocialMediaPosting"
|
||||
replyAuthor: "dflxh"
|
||||
replyAuthorURI: "https://lethallava.land/@dflxh"
|
||||
replyDate: "2024-04-15T08:52:40-04:00"
|
||||
---
|
||||
[My previous response to similar concerns]({{<relref "/notes/on-enforcing-https.md">}}) is relevant. To elaborate:
|
||||
|
||||
If nothing prevents bad behavior from an ISP, and it has happened before, then you should assume it's happening. This extends to injecting JavaScript apps into insecure connections.
|
||||
|
||||
- [Marriott hotels inject scripts via Revenue eXtraction Gateway hardware (2012)](https://justinsomnia.org/2012/04/hotel-wifi-javascript-injection/)
|
||||
- [Infrastructure likely belonging to the Great Firewall of China tampers with Baidu analytics to DDoS GitHub (2015)](https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack)
|
||||
- [Comcast continues to inject its own code into websites you visit (2017)](https://thenextweb.com/news/comcast-continues-to-inject-its-own-code-into-websites-you-visit)
|
||||
- [How is my ISP able to inject into this webpage? (2019)](https://security.stackexchange.com/questions/221260/how-is-my-isp-able-to-inject-into-this-webpage)
|
||||
- [Optimum ISP is MITMing its customers (2023)](https://lukerodgers.ca/2023/12/09/optimum-isp-is-mitming-its-customers/)
|
||||
|
||||
Unless you trust every hop from your browser to the destination server (and back), assume anything unencrypted can and will be inspected (and potentially tampered with). Encrypt everything you can.
|
||||
|
Loading…
Reference in a new issue