Upside-Down-Ternet (opens in new tab)

(pete.ex-parrot.com)

66 pointsLlamaTrauma2y ago19 comments

19 comments

It's almost unimaginable today that browser traffic used to be unencrypted and people in your network or down the line to your target could see and modify your traffic.

In 2013 I wrote an article about how to turn a Squid proxy into a code injection attack mechanism [1] (which many free proxies did at the time [2]). The most "harmless" would just replace the ads you see with their own, the worse ones used browser events to report all keystrokes or mouse positions to the attackers.

[1] https://blog.haschek.at/2013/05/why-free-proxies-are-free-js...

[2] https://blog.haschek.at/2015-analyzing-443-free-proxies/

Espressosaurus2y ago

Firesheep showed everyone, and I mean everyone how bad an idea it was. It was a bad idea before, but it was more invisibly bad.

It's hard to ignore when randos are screwing with you in real-time.

I'm sorry that open view of the internet ended, but it also ended far later than it should have by rights.

didntcheck2y ago

Yeah, it was insane how long it took for developers to start taking transport security seriously. I can understand people in the 90s or early 00s thinking "well it's not like you have an attacker on your LAN or at your ISP, right?", but Firesheep was in late 2010, properly into the era of smartphones, social networks, and free wifi, and you could just download an Android app or Firefox extension and trivially steal someone's FB account

2 more replies

purerandomness2y ago

And yet, every time there's an article about TLS, we have the same debate here with a few people arguing that their personal websites don't need HTTPS...

dclowd99012y ago

So TLS benefits people who steal WiFi?

1 more reply

Beretta_Vexee2y ago

This page is over ten years old. Back then, it was relatively easy to use ARP spoofing on the local network, identify your workstation as the gateway to the Internet and does MitM.

One of the slightly more subtle tricks that took a long time for people to identify was to modify ad banners so that they pointed to another provideur. Servers were fixed, image sizes were standardised, etc. This also required much less computing power and bandwidth.

There's a student residence that displayed a lot of ads for Bible studies and gay porn about fifteen years ago.

This wouldn't work nowadays if the majority of traffic was encrypted using TLS and authenticated using certificates.

rnts082y ago

The bad old days, when things were slower and unencrypted. I'm glad we have TLS (almost) everywhere these days but I'm not so impressed by how badly the "new" web performs.

BizarroLand2y ago

I don't know. I miss it a bit. There was a vibe of exploration that is difficult to recreate now, the cattle have overgrazed the field.

popey2y ago

This is coming up on 20 years old soon. Maybe add [2006] to the title :D

https://web.archive.org/web/20060315081659/http://www.ex-par...

fanf22y ago

Pete is also known for running https://www.mythic-beasts.com/

bclemens2y ago

Ha, fun to see this again! Back before everything was HTTPS, it was fun to use the Browser Exploitation Framework (https://beefproject.com) which had a script included that did this. Though in those cases I wasn't in control of the gateway, so ARP spoofing was required to get other devices to route through me.

jwineinger2y ago

I remember pranking my college roommates with this close to 20 years ago. Thanks for the memory refresh :D

alsetmusic2y ago

Hahaha.

https://news.ycombinator.com/item?id=39734943

j / k navigate · click thread line to collapse