Watch a Cat Video, Get Hacked: the Death of Clear-Text 166
New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.
Re:I'd love to use https! (Score:5, Informative)
because slashdot is not run by tech people anymore, its just a large ignorant media conglomerate that cares not for it users until it starts to affect the bottom line.
Besides enabling https could take minutes of labor time from literally ones of administrators to implement that's not free you know
Re:https is useless (Score:5, Informative)
What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?
Sure, they could, but I doubt they are.
If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).
While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.
Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.
I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.
Re:https is useless (Score:5, Informative)
If the state can forge certs, the state can redirect your traffic to their youtube proxy and insert the malware just behind the fake thing you authenticated with. Your own private keys will not protect you.
This is one of the many reasons why the public PKI is broken.
Re:https is useless (Score:4, Informative)
Chrome pins Google's certs, so if anyone did try to make new fake ones the browser would flag it up. I believe there is a plug-in for Firefox that alerts you when certs change too.
This vulnerability has been known for a long time.
Re:This is just evil. (Score:5, Informative)
Rendering HTML isn't "executing arbitrary code" in any meaningful way.
Re:Flash vulnerability? (Score:5, Informative)
In other words, Flash and Java are "exploited" only in the sense that people are so used to being pushed security updates, that they may accept a fake update delivered on an insecure connection. Accepting a so-called Flash update from any untrusted site would accomplish the same thing. It really just boils down to the fact that every site is an untrusted site if you're not using https, since you don't know who all is in the middle.
Re:Flash vulnerability? (Score:5, Informative)