ISPs inject malware into chat download streams
-
WTF - how is this even possible? Aren't these vendors securing their pages with HTTPS and and the downloads as well?
FFS - I guess they must not be. -
Via man in the middle attacks.
-
This would affect companies like Avast that don't hash their binaries. If you are checking download hashes, this isn't an issue.
-
It is an isp mitm attack.
"We don't know if the ISPs are in cooperation with the malware distributors or whether the ISPs' infrastructure has been hijacked."
Either option is very bad. -
Even if you are checking hashes, in theory your ISP could be altering the published hashes for files.
-
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Of course, if the main page is not HTTPS, but the download link is.. the ISP just replaces the HTTPS link with a non HTTPS link, and they own you.. and they own the page that displays the HASH.
-
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
They do it by installing a Cert on your PC that allows them to be a MitM.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
That would imply accepting the cert and installing the cert.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
-
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
-
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Oh, nm. I thought you quoted @NashBrydges. Just ignore me, I'm an idiot.
-
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Actually my point was when ALL certs are the same, people will pretty obviously almost always accept them. Because there is nothing to check against.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Actually my point was when ALL certs are the same, people will pretty obviously almost always accept them. Because there is nothing to check against.
I'm not sure what my mean that all certs are the same?
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Actually my point was when ALL certs are the same, people will pretty obviously almost always accept them. Because there is nothing to check against.
I'm not sure what my mean that all certs are the same?
If your ISP decides to inject certs, they do it most likely for all certs. So it is very, VERY hard for someone to know it is happening. All they know is that something is wrong, but they can't tell what.
-
ISPs control your view of the world. It's like VR. You strap someone into a VR console and feed them their entire view of the world and suddenly you can convince them of anything, because you control everything.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
ISPs control your view of the world. It's like VR. You strap someone into a VR console and feed them their entire view of the world and suddenly you can convince them of anything, because you control everything.
OK I'm following you there - but tell me - how is the ISP injecting certs? Let's assume they aren't hacking our machines and installing their own root cert into our certificate store... what's the issue? The user will get a prompt to install a root store cert if the ISP pushes one to them.. as long as the user doesn't accept it, the user will be save to continue using HTTPS with no typical worry of injection of malware.
