Upside-Down-Ternet (opens in new tab)

(pete.ex-parrot.com)

66 pointsLlamaTrauma2y ago19 comments

19 comments

It's almost unimaginable today that browser traffic used to be unencrypted and people in your network or down the line to your target could see and modify your traffic.

In 2013 I wrote an article about how to turn a Squid proxy into a code injection attack mechanism [1] (which many free proxies did at the time [2]). The most "harmless" would just replace the ads you see with their own, the worse ones used browser events to report all keystrokes or mouse positions to the attackers.

[1] https://blog.haschek.at/2013/05/why-free-proxies-are-free-js...

[2] https://blog.haschek.at/2015-analyzing-443-free-proxies/

Espressosaurus2y ago

Firesheep showed everyone, and I mean everyone how bad an idea it was. It was a bad idea before, but it was more invisibly bad.

It's hard to ignore when randos are screwing with you in real-time.

I'm sorry that open view of the internet ended, but it also ended far later than it should have by rights.

didntcheck2y ago

Yeah, it was insane how long it took for developers to start taking transport security seriously. I can understand people in the 90s or early 00s thinking "well it's not like you have an attacker on your LAN or at your ISP, right?", but Firesheep was in late 2010, properly into the era of smartphones, social networks, and free wifi, and you could just download an Android app or Firefox extension and trivially steal someone's FB account

alsetmusic2y ago

If you want to truly have an aneurism (wow, I can't believe I spelled that correctly on the first try! I was sure the computer would have to correct me.), read The Cuckoo's Egg, by Cliff Stoll. It might be the first book about hacking; it was published in the 80s. You might recognize the name of a well-known Unix engineer at a government agency as they try to track the hacker's origin.

Anyway, as you alluded, everything was wide open. The author ponders the amount of trust that was accepted at the time. Nothing surprising, but it still made me say, "wtf" to myself as I read it. Very low skill was needed at the time, relative to modern systems. I guess this is why social engineering is such an effective pathway today.

1 more reply

dogleash2y ago

> Yeah, it was insane how long it took for developers to start taking transport security seriously.

It's just the way life works.

In 10 years it will be "insane" that your computer ever ran any unsigned code.

10 more years after that it will be "insane" that computers trusting a codesigning key other than the blessed ones were ever allowed to connect to anything useful over the internet.

1 more reply

purerandomness2y ago

And yet, every time there's an article about TLS, we have the same debate here with a few people arguing that their personal websites don't need HTTPS...

dclowd99012y ago

So TLS benefits people who steal WiFi?

batch122y ago

Yes and also everyone else.

Beretta_Vexee2y ago

This page is over ten years old. Back then, it was relatively easy to use ARP spoofing on the local network, identify your workstation as the gateway to the Internet and does MitM.

One of the slightly more subtle tricks that took a long time for people to identify was to modify ad banners so that they pointed to another provideur. Servers were fixed, image sizes were standardised, etc. This also required much less computing power and bandwidth.

There's a student residence that displayed a lot of ads for Bible studies and gay porn about fifteen years ago.

This wouldn't work nowadays if the majority of traffic was encrypted using TLS and authenticated using certificates.

rnts082y ago

The bad old days, when things were slower and unencrypted. I'm glad we have TLS (almost) everywhere these days but I'm not so impressed by how badly the "new" web performs.

BizarroLand2y ago

I don't know. I miss it a bit. There was a vibe of exploration that is difficult to recreate now, the cattle have overgrazed the field.

popey2y ago

This is coming up on 20 years old soon. Maybe add [2006] to the title :D

https://web.archive.org/web/20060315081659/http://www.ex-par...

fanf22y ago

Pete is also known for running https://www.mythic-beasts.com/

bclemens2y ago

Ha, fun to see this again! Back before everything was HTTPS, it was fun to use the Browser Exploitation Framework (https://beefproject.com) which had a script included that did this. Though in those cases I wasn't in control of the gateway, so ARP spoofing was required to get other devices to route through me.

jwineinger2y ago

I remember pranking my college roommates with this close to 20 years ago. Thanks for the memory refresh :D

alsetmusic2y ago

Hahaha.

https://news.ycombinator.com/item?id=39734943

j / k navigate · click thread line to collapse

19 comments

geek_at2y ago

It's almost unimaginable today that browser traffic used to be unencrypted and people in your network or down the line to your target could see and modify your traffic.

[1] https://blog.haschek.at/2013/05/why-free-proxies-are-free-js...

[2] https://blog.haschek.at/2015-analyzing-443-free-proxies/

Espressosaurus2y ago

Firesheep showed everyone, and I mean everyone how bad an idea it was. It was a bad idea before, but it was more invisibly bad.

It's hard to ignore when randos are screwing with you in real-time.

I'm sorry that open view of the internet ended, but it also ended far later than it should have by rights.

didntcheck2y ago

alsetmusic2y ago

1 more reply

dogleash2y ago

> Yeah, it was insane how long it took for developers to start taking transport security seriously.

It's just the way life works.

In 10 years it will be "insane" that your computer ever ran any unsigned code.

10 more years after that it will be "insane" that computers trusting a codesigning key other than the blessed ones were ever allowed to connect to anything useful over the internet.

1 more reply

purerandomness2y ago

And yet, every time there's an article about TLS, we have the same debate here with a few people arguing that their personal websites don't need HTTPS...

dclowd99012y ago

So TLS benefits people who steal WiFi?

batch122y ago

Yes and also everyone else.

Beretta_Vexee2y ago

This page is over ten years old. Back then, it was relatively easy to use ARP spoofing on the local network, identify your workstation as the gateway to the Internet and does MitM.

There's a student residence that displayed a lot of ads for Bible studies and gay porn about fifteen years ago.

This wouldn't work nowadays if the majority of traffic was encrypted using TLS and authenticated using certificates.

rnts082y ago

The bad old days, when things were slower and unencrypted. I'm glad we have TLS (almost) everywhere these days but I'm not so impressed by how badly the "new" web performs.

BizarroLand2y ago

I don't know. I miss it a bit. There was a vibe of exploration that is difficult to recreate now, the cattle have overgrazed the field.

popey2y ago

This is coming up on 20 years old soon. Maybe add [2006] to the title :D

https://web.archive.org/web/20060315081659/http://www.ex-par...

fanf22y ago

Pete is also known for running https://www.mythic-beasts.com/

bclemens2y ago

jwineinger2y ago

I remember pranking my college roommates with this close to 20 years ago. Thanks for the memory refresh :D

alsetmusic2y ago

Hahaha.

https://news.ycombinator.com/item?id=39734943

j / k navigate · click thread line to collapse