Watch a Cat Video, Get Hacked: the Death of Clear-Text

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

I'd love to use https!

[XanC]

...So why does Slashdot redirect HTTPS back to HTTP??

Re:I'd love to use https!

Simplicity and overhead.

HTTPS has overhead in encrypting all content. This can be mitigated by processors with AES instruction set, but it still impacts the scalability for the site. Most content on slashdot can probably be cached and thus CPU usage is kept to a minimum as users scale.

Staying in HTTPS but requesting HTTP resources has to be done carefully to avoid browsers from throwing cross domain violations. It's more trouble than it's worth.

No one with the know-how and resources to capture your slashdot HTTP cares what inane comments you are making or what you're reading. I'm sure some kooks think otherwise, but the government has bigger fish to fry. The HTTPS is used for critical steps, such as logging in to prevent accounts from being compromised.

Re:https is useless

[HaeMaker]

Correct. What make anyone think: NSA agents aren't working at Google, Microsoft, Verisign, etc. Anyone checks who actually signed the certs. Almost all devices trust a few DoD root certs by default. Going to slashdot is safe? No SSL here. Do any of these GIFs, JPGs or PNGs contain exploits? If they want you, they can't get you?

Flash vulnerability?

[Animats]

Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?

Re:https is useless

[pla]

unless we want to strip the state off their power to search us (and trail us).

Dingdingding! We have a winner!

Two and a half centuries ago we allowed the government those powers, under certain strict conditions, for the good of society as a whole. The government has repeatedly shown itself incapable of acting up to its side of that bargain. We The People therefore need to strip them of that power entirely. Can't find physical evidence of a crime without making my computer tell on me? Then It didn't happen.

"But we need the government to have those powers to preserve the public order", you say? No. The sort of crimes the NSA catches (heh, I typed that as "commits" and had to correct it) have nothing to do with you and I in our daily lives. They protect megacorps and the government itself, and nothing else.

Re:https is useless

[grcumb]

Going to slashdot is safe? No SSL here.

GCHQ has already spoofed Slashdot in the past. So no, going to Slash dot is not safe.

If they want you, they can't get you?

All right then. Let's all just roll over and die, why don't we?

Look, I get your cynicism, but don't let it run to fatalism. There are things you can do:

• - Stop making it easy on them. Stop using Windows. Seriously. Understand that what's convenient for you is often convenient for them.
• - Stop using proprietary software at all. Yes, yes, HeartBleed nothing is safe bla bla bla. I'm not talking about safe, though; I'm talking about safer. And FOSS is, objectively, a safer environment, and will remain so even after it becomes popular.
• - Start building and using federated, encrypted, decentralised, peer-to-peer systems. I honestly don't know why geeks didn't do this years ago, but why the fuck is Facebook the state of the art in social media? I mean, seriously. It's not only a privacy disaster area, it's a badly polished piece of shit to boot. We know that They don't like TOR because it's harder for Them. We know That they don't like bittorrent because it's harder for Them. So why the fuck are we not taking a clue from that and creating a UseNET we can go back to? I mean, I get why the peons don't, but we're geeks, for fuck sake. That used to mean something.
• - Start re-imagining an internet whose physical characteristics resemble its protocols. At the outset, we thought it would be cool to have generic protocols that ran more or less transparently on any old network at all. What we didn't realise was that just because stupid networks were possible, that didn't mean they were inevitable. The whole ICANN/ITU fiasco is all the evidence we need to see that the world's telcos have begun to realise how much ground they've lost and they want it back. But that doesn't mean we have to give it to them. Mesh topologies using low-power devices are the only we we cut them back down to size.

You can get all fatalistic if you like, but if your only response to the encroachments of authority is to run further and faster, then (apologies to Scotsmen everywhere) you're not a real geek.

Clearly

[fyngyrz]

Java and so forth is not limited enough. Not even close. And outside of that, there's the whole "ooops, the bug let some code execute" that will plague browser-side executables forever, or as close to it as makes no difference.

This is one of the core (ha) problems with client-side execution in a general purpose machine.

If you want to host a reputable website, then the more you can put active functionality for the user in server-side CGI, the better you can actually take that high road. All this java-loaded stuff on websites is a constant invitation to problems. It's an idea that is only safe in a world without bad guys. And our world is hardly that -- even the ones that are supposed to be the good guys (the government) are bad guys now.

But if you can tell your users "turn off client side execution" and your website will still work, then all they need is a browser that can read HTML, CSS and CGI and follow the HTTP and HTTPS protocols. Then if you can get browser manufacturers to quit pretending that HTTPS provides "identity" so the browsers drop the SCARE tactics for self-signed certificates, we can all enjoy the web without nearly as much risk for the surfer or paid blackmail for the site owner.

For all of us who remember how to read and enjoy real web sites, this would just be another (good) day. On the other hand, if you're one of those who doesn't read, likes to type "tl;dr" (and thinks it's funny, instead of sad as heck) and/or one of the video-addicted, you're probably completely screwed. :)