ISPs inject malware into chat download streams
-
Even if you are checking hashes, in theory your ISP could be altering the published hashes for files.
-
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Of course, if the main page is not HTTPS, but the download link is.. the ISP just replaces the HTTPS link with a non HTTPS link, and they own you.. and they own the page that displays the HASH.
-
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
They do it by installing a Cert on your PC that allows them to be a MitM.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
That would imply accepting the cert and installing the cert.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
-
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
-
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Oh, nm. I thought you quoted @NashBrydges. Just ignore me, I'm an idiot.
-
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Actually my point was when ALL certs are the same, people will pretty obviously almost always accept them. Because there is nothing to check against.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Actually my point was when ALL certs are the same, people will pretty obviously almost always accept them. Because there is nothing to check against.
I'm not sure what my mean that all certs are the same?
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@stacksofplates said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Eh? you get prompted to install a cert into your certificate store - it doesn't just happen, unless you buy your computer pre configured from your ISP.
I suppose the ISP could also prevent any and all HTTPS, but then tons of things wouldn't work at all.
I think that's his point. The only way the ISP cert would get there is if you put it there.
I'm still not getting it - sure, 99.9% of users will just accept any ol' popup that shows up on their computer.. so they'll get the cert installed, but Scott never likes to talk about the bad things that people do, do. Instead he focuses more on the things that people should do.
Actually my point was when ALL certs are the same, people will pretty obviously almost always accept them. Because there is nothing to check against.
I'm not sure what my mean that all certs are the same?
If your ISP decides to inject certs, they do it most likely for all certs. So it is very, VERY hard for someone to know it is happening. All they know is that something is wrong, but they can't tell what.
-
ISPs control your view of the world. It's like VR. You strap someone into a VR console and feed them their entire view of the world and suddenly you can convince them of anything, because you control everything.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
ISPs control your view of the world. It's like VR. You strap someone into a VR console and feed them their entire view of the world and suddenly you can convince them of anything, because you control everything.
OK I'm following you there - but tell me - how is the ISP injecting certs? Let's assume they aren't hacking our machines and installing their own root cert into our certificate store... what's the issue? The user will get a prompt to install a root store cert if the ISP pushes one to them.. as long as the user doesn't accept it, the user will be save to continue using HTTPS with no typical worry of injection of malware.
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
-
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
But when EVERY site says you have a fake cert, I know no one that doesn't accept them. One time, sure. I stopped Dominica just the other night because some site had a cert problem and I knew something had happened. But when it is every site and you can't do anything without accepting them, you start accepting them. What else can you do?
-
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
But when EVERY site says you have a fake cert, I know no one that doesn't accept them. One time, sure. I stopped Dominica just the other night because some site had a cert problem and I knew something had happened. But when it is every site and you can't do anything without accepting them, you start accepting them. What else can you do?
You're held hostage by your ISP. Given no other choice you might be tempted to accept their terms but you'd be idiotic in accepting those terms of having to accept their cert. I'll give you that for majority of people, yeah, they wouldn't think twice. Which is sad.
-
@nashbrydges said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
@scottalanmiller said in ISPs inject malware into chat download streams:
@dashrender said in ISPs inject malware into chat download streams:
How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.
Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?
And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.
But once that option is gone, well, so is the free and open internet.
Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.
Oh.. I think I see where you are going here... but now my question is - will that work?
Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.
But when EVERY site says you have a fake cert, I know no one that doesn't accept them. One time, sure. I stopped Dominica just the other night because some site had a cert problem and I knew something had happened. But when it is every site and you can't do anything without accepting them, you start accepting them. What else can you do?
You're held hostage by your ISP. Given no other choice you might be tempted to accept their terms but you'd be idiotic in accepting those terms of having to accept their cert. I'll give you that for majority of people, yeah, they wouldn't think twice. Which is sad.
But what is the OTHER option? See the issue? They own you, in many cases, accepting their terms is a foregone conclusion.
