Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Heads up: this site doesn't use HTTPS, so anyone (for some definition of "any") can see what you're watching, and potentially modify it.


"this site uses HTTPS, so anyone (among the x509 oligarchy) can censor it" /s


Even taken at face value, that's a lot smaller group of people who can successfully stage an attack.


I don't know why this is something worth mentioning. If some one can MITM your HTTP requests, they can just as easily MITM your DNS and SNI etc.


Not sure how genuine you're being, but there's a big difference between someone seeing the domain name of the website I'm visiting (publicdomainflix.com), and seeing my username and password when I register.


MITMing your DNS will do much more than let people see where you want to go. It will let them send you to wherever they want as if that was the place you were trying to go.


Both attacks are equally deterministic and would be instrumented by software which share the property that they only need to be written once.

The attacker needs to run either one program or another program (with more sophisticated code but who cares, it's already written).

So really it's the same level of effort if you assume someone is just running prebuilt software, which is usually the case


For anyone reading this who isn't already familiar, the above is incorrect.

When you're browsing with HTTPS, a third party may see: - Your DNS queries (revealing the name of the website you're visiting),

- The handshake of your TLS connection, including Server Name Indicating (SNI) (revealing the name of the website you're visiting).

- A third party on the network is not however able to see the content of the website you're visiting, or the data you're submitting to the site.

When you're browsing with HTTP, a third party may see: - Your DNS queries (same as above)

- The name of the website you're visiting (via the host header)

- Any and all information sent between you and the website, as well as being able to modify any and all data sent between you and the website.


Right but that wasn't the point. The idea sometimes put out is that a more sophisticated instrumentation is less likely because it's more difficult. It's a misapplication of the threat model principle.

It's a false claim because the instrumentation is automated and the execution is identical.

To be even more specific about HTTPS, if someone is lying to you about DNS, lying to you about the key signer and lying to you about the keys, it still doesn't work because your browser ships with verification keys from the major key signers.

So the attacker would still have to break cryptography because they couldn't do a fake chain that matched the domain and the key that was sent to you with your browser.

Now if someone managed to break RSA then again, this would become a single program with as much effort to run as any other program even though it sounds like a lot more work. But there's no public break so it's assumed to be unachievable without vast computing resources.


What do you mean “MITM your SNI?” They could change it, but that change would be detected by the final handshake HMAC.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: