Watch a Cat Video, Get Hacked: the Death of Clear-Text 166
New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.
I'd love to use https! (Score:5, Interesting)
...So why does Slashdot redirect HTTPS back to HTTP??
Re:I'd love to use https! (Score:2, Interesting)
Simplicity and overhead.
HTTPS has overhead in encrypting all content. This can be mitigated by processors with AES instruction set, but it still impacts the scalability for the site. Most content on slashdot can probably be cached and thus CPU usage is kept to a minimum as users scale.
Staying in HTTPS but requesting HTTP resources has to be done carefully to avoid browsers from throwing cross domain violations. It's more trouble than it's worth.
No one with the know-how and resources to capture your slashdot HTTP cares what inane comments you are making or what you're reading. I'm sure some kooks think otherwise, but the government has bigger fish to fry. The HTTPS is used for critical steps, such as logging in to prevent accounts from being compromised.
Re:https is useless (Score:5, Interesting)
Flash vulnerability? (Score:4, Interesting)
Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?
Re:https is useless (Score:4, Interesting)
Dingdingding! We have a winner!
Two and a half centuries ago we allowed the government those powers, under certain strict conditions, for the good of society as a whole. The government has repeatedly shown itself incapable of acting up to its side of that bargain. We The People therefore need to strip them of that power entirely. Can't find physical evidence of a crime without making my computer tell on me? Then It didn't happen.
"But we need the government to have those powers to preserve the public order", you say? No. The sort of crimes the NSA catches (heh, I typed that as "commits" and had to correct it) have nothing to do with you and I in our daily lives. They protect megacorps and the government itself, and nothing else.
Re:https is useless (Score:3, Interesting)
Going to slashdot is safe? No SSL here.
GCHQ has already spoofed Slashdot [techdirt.com] in the past. So no, going to Slash dot is not safe.
If they want you, they can't get you?
All right then. Let's all just roll over and die, why don't we?
Look, I get your cynicism, but don't let it run to fatalism. There are things you can do:
You can get all fatalistic if you like, but if your only response to the encroachments of authority is to run further and faster, then (apologies to Scotsmen everywhere) you're not a real geek.
Clearly (Score:5, Interesting)
Java and so forth is not limited enough. Not even close. And outside of that, there's the whole "ooops, the bug let some code execute" that will plague browser-side executables forever, or as close to it as makes no difference.
This is one of the core (ha) problems with client-side execution in a general purpose machine.
If you want to host a reputable website, then the more you can put active functionality for the user in server-side CGI, the better you can actually take that high road. All this java-loaded stuff on websites is a constant invitation to problems. It's an idea that is only safe in a world without bad guys. And our world is hardly that -- even the ones that are supposed to be the good guys (the government) are bad guys now.
But if you can tell your users "turn off client side execution" and your website will still work, then all they need is a browser that can read HTML, CSS and CGI and follow the HTTP and HTTPS protocols. Then if you can get browser manufacturers to quit pretending that HTTPS provides "identity" so the browsers drop the SCARE tactics for self-signed certificates, we can all enjoy the web without nearly as much risk for the surfer or paid blackmail for the site owner.
For all of us who remember how to read and enjoy real web sites, this would just be another (good) day. On the other hand, if you're one of those who doesn't read, likes to type "tl;dr" (and thinks it's funny, instead of sad as heck) and/or one of the video-addicted, you're probably completely screwed. :)