ISPs inject malware into chat download streams
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Actually my point was when ALL certs are the same, people will pretty obviously almost always accept them. Because there is nothing to check against.
I'm not sure what my mean that all certs are the same?
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Actually my point was when ALL certs are the same, people will pretty obviously almost always accept them. Because there is nothing to check against.
I'm not sure what my mean that all certs are the same?
If your ISP decides to inject certs, they do it most likely for all certs. So it is very, VERY hard for someone to know it is happening. All they know is that something is wrong, but they can't tell what.
-
ISPs control your view of the world. It's like VR. You strap someone into a VR console and feed them their entire view of the world and suddenly you can convince them of anything, because you control everything.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
ISPs control your view of the world. It's like VR. You strap someone into a VR console and feed them their entire view of the world and suddenly you can convince them of anything, because you control everything.
OK I'm following you there - but tell me - how is the ISP injecting certs? Let's assume they aren't hacking our machines and installing their own root cert into our certificate store... what's the issue? The user will get a prompt to install a root store cert if the ISP pushes one to them.. as long as the user doesn't accept it, the user will be save to continue using HTTPS with no typical worry of injection of malware.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
But when EVERY site says you have a fake cert, I know no one that doesn't accept them. One time, sure. I stopped Dominica just the other night because some site had a cert problem and I knew something had happened. But when it is every site and you can't do anything without accepting them, you start accepting them. What else can you do?
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
But when EVERY site says you have a fake cert, I know no one that doesn't accept them. One time, sure. I stopped Dominica just the other night because some site had a cert problem and I knew something had happened. But when it is every site and you can't do anything without accepting them, you start accepting them. What else can you do?
You're held hostage by your ISP. Given no other choice you might be tempted to accept their terms but you'd be idiotic in accepting those terms of having to accept their cert. I'll give you that for majority of people, yeah, they wouldn't think twice. Which is sad.
-
@nashbrydges said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
But when EVERY site says you have a fake cert, I know no one that doesn't accept them. One time, sure. I stopped Dominica just the other night because some site had a cert problem and I knew something had happened. But when it is every site and you can't do anything without accepting them, you start accepting them. What else can you do?
You're held hostage by your ISP. Given no other choice you might be tempted to accept their terms but you'd be idiotic in accepting those terms of having to accept their cert. I'll give you that for majority of people, yeah, they wouldn't think twice. Which is sad.
But what is the OTHER option? See the issue? They own you, in many cases, accepting their terms is a foregone conclusion.
-
For all intents and purposes, an ISP is the government. You can refuse to accept the terms and conditions of your government, but you still have to use their water and pay their taxes.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
But when EVERY site says you have a fake cert, I know no one that doesn't accept them. One time, sure. I stopped Dominica just the other night because some site had a cert problem and I knew something had happened. But when it is every site and you can't do anything without accepting them, you start accepting them. What else can you do?
You can get another ISP - at least until there is no option for another ISP.
But things like Chrome completely freak out when it runs into a fake google cert - I'm not sure if that freak out includes simply not working for google properties or not though.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
For all intents and purposes, an ISP is the government. You can refuse to accept the terms and conditions of your government, but you still have to use their water and pay their taxes.
while the service might not be as good, at least I live in an area where there is more than one option.
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
But when EVERY site says you have a fake cert, I know no one that doesn't accept them. One time, sure. I stopped Dominica just the other night because some site had a cert problem and I knew something had happened. But when it is every site and you can't do anything without accepting them, you start accepting them. What else can you do?
You can get another ISP - at least until there is no option for another ISP.
But things like Chrome completely freak out when it runs into a fake google cert - I'm not sure if that freak out includes simply not working for google properties or not though.
Sometimes you can. Sometimes you can't. Often you can't.
