Upside-Down-Ternet
pete.ex-parrot.comIt's almost unimaginable today that browser traffic used to be unencrypted and people in your network or down the line to your target could see and modify your traffic.
In 2013 I wrote an article about how to turn a Squid proxy into a code injection attack mechanism [1] (which many free proxies did at the time [2]). The most "harmless" would just replace the ads you see with their own, the worse ones used browser events to report all keystrokes or mouse positions to the attackers.
[1] https://blog.haschek.at/2013/05/why-free-proxies-are-free-js...
[2] https://blog.haschek.at/2015-analyzing-443-free-proxies/
Firesheep showed everyone, and I mean everyone how bad an idea it was. It was a bad idea before, but it was more invisibly bad.
It's hard to ignore when randos are screwing with you in real-time.
I'm sorry that open view of the internet ended, but it also ended far later than it should have by rights.
Yeah, it was insane how long it took for developers to start taking transport security seriously. I can understand people in the 90s or early 00s thinking "well it's not like you have an attacker on your LAN or at your ISP, right?", but Firesheep was in late 2010, properly into the era of smartphones, social networks, and free wifi, and you could just download an Android app or Firefox extension and trivially steal someone's FB account
If you want to truly have an aneurism (wow, I can't believe I spelled that correctly on the first try! I was sure the computer would have to correct me.), read The Cuckoo's Egg, by Cliff Stoll. It might be the first book about hacking; it was published in the 80s. You might recognize the name of a well-known Unix engineer at a government agency as they try to track the hacker's origin.
Anyway, as you alluded, everything was wide open. The author ponders the amount of trust that was accepted at the time. Nothing surprising, but it still made me say, "wtf" to myself as I read it. Very low skill was needed at the time, relative to modern systems. I guess this is why social engineering is such an effective pathway today.
Holy cow, I never realized that Professor Glass Klein Bottles wrote hacking books 40 years ago. Noice, I should check that one out then.
> Yeah, it was insane how long it took for developers to start taking transport security seriously.
It's just the way life works.
In 10 years it will be "insane" that your computer ever ran any unsigned code.
10 more years after that it will be "insane" that computers trusting a codesigning key other than the blessed ones were ever allowed to connect to anything useful over the internet.
Not sure if you intended it this way, but it sounds like you believe that it's not a great thing that almost all traffic on the Internet is encrypted today, or that you think it would/will be good to have all computers on the Internet running only "trusted" code.
One can believe it's crazy to run unencrypted traffic while also believing it's crazy not to allow me to run any code I want to connect to the Internet. There is no slippery slope between these two.
The only thing I believe is that the hypothetical future I describe is a non-zero chance possibility. Everything else is the is/ought problem. I'm just talking about how prevailing attitudes change over time.
And yet, every time there's an article about TLS, we have the same debate here with a few people arguing that their personal websites don't need HTTPS...
So TLS benefits people who steal WiFi?
Yes and also everyone else.
This page is over ten years old. Back then, it was relatively easy to use ARP spoofing on the local network, identify your workstation as the gateway to the Internet and does MitM.
One of the slightly more subtle tricks that took a long time for people to identify was to modify ad banners so that they pointed to another provideur. Servers were fixed, image sizes were standardised, etc. This also required much less computing power and bandwidth.
There's a student residence that displayed a lot of ads for Bible studies and gay porn about fifteen years ago.
This wouldn't work nowadays if the majority of traffic was encrypted using TLS and authenticated using certificates.
The bad old days, when things were slower and unencrypted. I'm glad we have TLS (almost) everywhere these days but I'm not so impressed by how badly the "new" web performs.
I don't know. I miss it a bit. There was a vibe of exploration that is difficult to recreate now, the cattle have overgrazed the field.
This is coming up on 20 years old soon. Maybe add [2006] to the title :D
https://web.archive.org/web/20060315081659/http://www.ex-par...
Pete is also known for running https://www.mythic-beasts.com/
Ha, fun to see this again! Back before everything was HTTPS, it was fun to use the Browser Exploitation Framework (https://beefproject.com) which had a script included that did this. Though in those cases I wasn't in control of the gateway, so ARP spoofing was required to get other devices to route through me.
I remember pranking my college roommates with this close to 20 years ago. Thanks for the memory refresh :D