[Cryptography] phishing, was Encryption opinion

John Levine johnl at iecc.com
Mon Sep 8 23:45:17 EDT 2014


>    "Comcast Wi-Fi serving self-promotional ads via JavaScript injection"
>
>If carriers and others are permitted to inject anything the framework
>for MITM attacks is established and made legal.

This battle was lost long, long ago.  ISPs routinely intercept
NXDOMAIN DNS results and replace them with A records pointing to a web
server with "helpful" paid ads.  On mobile networks, it's very common
to force web traffic through caches, and to re-encode images to
smaller versions appropriate for the tiny screens.

It's also fairly common to intercept port 25 traffic and force it
through outbound spam filters.  This last bit is about abuse
management, not revenue enhancement.

There's a couple of companies with names I forget (no doubt they want
me to) who produce specialist equipment to do DPI and replace packets
like this.

Most of the web nonsense can be prevented with https, at least if you
have an honest browser that doesn't interpret https as "tell the cache
at the ISP to fetch the https version".

R's,
John


More information about the cryptography mailing list